In the last few years, blockchain has been one of the most popular buzzwords in the context of data storage and management. Experts often believe that it has the potential to instigate an era of advanced data models completed with high security, traceability and transparency.
However, lately, there has been a heated debate about whether this technology is able to comply with the European Union’s General Data Protection Regulation (GDPR). Various studies have analyzed the relationship between the two to highlight the challenges and possible solutions to overcome them. But before understanding that, let’s take a brief look at some notable characteristics of blockchain technology that possibly impact GDPR compliance.
What are the Main Characteristics of Blockchain?
You might already have an idea about blockchain – a distributed ledger technology (DLT) primarily used to manage, store, and distribute records stored in it. It can be defined by the following major characteristics:
- Transparency: All the data stored in a blockchain is visible to all the participants in the blockchain.
- Decentralization: There is no central authority having the right over data management and other operations.
- Data Irreversibility: Data cannot be changed or deleted once it is recorded in the database.
- Disintermediation: All the decisions are taken with the mutual consent of all the participants, without a need for a central arbitrator.
If a blockchain is the public one, anyone can record a transaction, from anywhere in the world. Any user can participate in the process of block validation and access a copy of the same. On the other hand, a permissioned blockchain is closed and not publicly accessible. Only users with permissions can access such blockchains.
What Does GDPR Compliance Have to Do with Blockchain?
One of the central features of blockchain includes the immutability of data. Simply put, once the information is recorded in the blockchain, it could not be altered or deleted without the consent of all the members of the ledger. The main purpose of this feature is to prevent data tampering. Only the data can be shared and accessed by the organizations participating in a particular blockchain network.
However, as per GDPR, every consumer has the right to make modifications to their personal information. It means they can erase their personal data whenever they feel like it and the organizations have to comply with it.
Now, the problem arises when an organization you are associated with saves your private data on a blockchain network. Since this data is recorded on the ledger, no one can make changes to it, making it non-compliant with GDPR.
The characteristics of blockchain have a profound impact on individual rights, such as the Right to Personal Data Protection and the Right to Privacy. In such cases, a specific analysis is required to protect the private data of users.
Prominent Areas Associated with GDPR Compliance That Blockchain Must Address
The issue of data breaching has become more prevalent than ever before. Due to this, users have become more aware of the risks associated with it. The most common problem with data breaches is the usage of private data for commercial purposes.
This is why GDPR compliance is created across the EU in order to protect the personal data of users. GDPR compliance is compulsory for all organizations in order to offer any kind of paid or unpaid services to consumers located in the EU.
When it comes to blockchain, there is undoubtedly substantial disagreement between a few of its core features and some provisions of European data protection law. One thing to understand here is that GDPR does not aim to regulate technologies. In fact, it focuses on regulating the way users leverage these technologies keeping the context of personal data in mind.
The primary objectives of blockchain and GDPR are quite different – the former focuses on creating a decentralized shared database, while the latter deals with private data protection laws. In order to ensure data privacy, it’s crucial that blockchain must address the main areas associated with GDPR.
1. Rights of EU Data Subjects
With GDPR compliance, individuals get better control over their personal data and implement a single data protection law across the entire EU. It provides users with:
- Right to rectification
- Right to be forgotten
- Right to data portability
- Right to be informed about a data breach
- Right to consent
- Right to easier access to private data
Having the same private data in different places can make it challenging to enforce all these rights and regulations. In order to overcome this, several blockchain solutions can help.
For instance, with the Know Your Customer (KYC) process, businesses can satisfy the requirement of data portability. It allows consumers to get their private information and reuse it for various purposes across different areas.
Crédit Mutuel Arkéa is one of the banks that used blockchain in alignment with data protection laws. A functional permissioned blockchain network is developed offering information regarding customer identities that enables compliance with KYC requirements. It helps in getting a complete view of customers’ documents across the distributed network of the bank.
Similarly, Vchain Tech, a popular blockchain application platform built a solution for airlines that uses digital identity to share data securely when travelers board connecting flights. With blockchain, airlines can digitally verify the passengers’ data without exposing it. All these examples indicate the applications of blockchain in a way supporting the rights of data subjects under GDPR compliance.
2. Security of Processing Data
Article 32 of GDPR compliance suggests that there is a requirement for data controllers and processors in order to implement the right organizational and technical measures to ensure data security. Generally speaking, this article talks about risks to the data subjects along with a set of guidelines crucial for the security of private data. These specific guidelines include confidentiality, integrity, encryption, pseudonymization, cyber resilience, and availability of systems governing data security.
Blockchain, as in technology, uses cryptography to promote transaction confidentiality and provide access controls to avert unauthorized access. Moreover, since data is decentralized and not stored at one location, the risks of having a central honeypot for cyber attackers to target mitigate significantly. When it comes to availability, blockchain can enhance it by removing single points of failure. Even if a node is unavailable, with a distributed ledger, there will be continuity in network operations and data will still be accessible.
Besides this, although a permissioned blockchain is more highly secured than a public one, there are still chances of potential unauthorized access to the network. In fact, encryption keys, even though enabling end-to-end security, could be lost, stolen, or tampered with. Therefore, it becomes crucial to verify the identities of the participants in a blockchain. For this, specific blockchain-based fabric architecture such as Hyperledger can be used that mitigates risks to a large extent.
3. Lawfulness and Consent
GDPR specifically focuses on consent for processing and sharing personal data. As per its terms, private data processing is only allowed on a lawful basis, which is in the form of consent of data subjects. Now, the problem arises while determining whether a consent is valid or not. For its validation, the consent must be specific, informed, explicit, and given freely.
This is more important in industries like healthcare, where one has to handle different categories of personal data. In such cases, blockchain is found to be highly productive for easy tracking and management of consents among data processors, controllers, and subjects. To get a more clear understanding of this, several studies are already conducted and some are underway.
For instance, a research initiative has been signed between IBM Watson Health and FDA, aiming to develop a highly secure, efficient, and scalable system where data could be exchanged using blockchain. Both organizations are deriving owner-arbitrated data from multiple sources, like clinical research, electronic health records (EHRs), health-related data from wearables, mobile devices, and IoT devices, etc.
Since data is kept on an immutable distributed ledger, there will be complete transparency and accountability during the data exchange process. Moreover, since users give permissions when they access an app or device, lawfulness is also served while keeping data security in mind.
4. Compliance Accountability
While processing or controlling users’ data, an organization must show compliance with GDPR commissions. If not that, at least they must document the process demonstrating their progression towards compliance. It includes assessments regarding data protection, risk management, enterprise-wide code of conduct, and implementation of a governance model.
The conventional record-keeping systems were not able to keep the information intact, updated, and easily accessible. Due to this, data could not be verified, or trusted, and might not be insightful. However, businesses using blockchain technology can overcome these challenges by being accountable and proving compliance against GDPR obligations.
One of the best things about a blockchain network is that it not only keeps track of the existing data but also records all the modifications ever made to the ledger. In addition, since blockchain follows the consensus mechanism, changes in data are only possible when the key participants are in sync and reach a consensus to make alterations.
Besides this, the smart contract capabilities of blockchain technology ensure the maintenance of millions of records following GDPR with the power of automation. In this way, the characteristics of provenance and consensus help blockchain establish high immutability and accountability of compliance.
4 Ways to Ensure Data Security in the Context of Blockchain and GDPR
To ensure data privacy in accordance with GDPR compliance, the most important thing is to consider how private data is stored, managed, and shared in a blockchain network. Some of the key considerations in this context include:
1. Data Access Control
The first and foremost thing to adhere to GDPR compliance is prohibiting unauthorized access to any private data in a blockchain network. Data encryption and protection must be enforced, limiting access only to authorized personnel. Besides this, blockchain can also support data access control by leveraging cryptographic algorithms, further securing data available on the ledger.
2. Right to be Forgotten
This is one of the core ideas of GDPR compliance in accordance with data accessibility and protection. Every individual must have a right to be forgotten (also known as the right to erasure) their private data, and all organizations must adhere to it. Simply put, whenever a data subject requests to remove their personal data from a distributed ledger, it must be deleted. However, the organization should also be given the right to retain data if there is a legal obligation in place.
3. Minimization of Data
Organizations must minimize the practice of collecting personal data and only do the same when necessarily required. It means users’ private information should only be recorded if it is essential for data processing. Also, they must delete such personal data as soon as there is no requirement.
4. Data Anonymization
Another crucial aspect that organizations must consider is pseudonymizing or anonymization of personal data as much as possible. It means the key participants in a blockchain network must not be identifiable as per their private records stored in the ledger. Data anonymization is extremely important to mitigate the threats associated with the exposure of personal data and helps in being compliant with GDPR compliance.
There is no doubt in saying that blockchain-enable solutions do help in eliminating the roadblocks that used to exist in conventional business models. Moreover, blockchain firmly focuses on transparency and accountability for the participants of the ledger, leading to confidentiality and a clear understanding of the entire process.
However, this fact could not be neglected that GDPR relies on the presumption of having at least one data controller, to whom data subjects can direct in order to enforce their rights associated with data protection. On the contrary, blockchain primarily focuses on decentralized systems, replacing unitary actors to manage operations. This might create obstacles in allocating accountability and responsibility in a blockchain network under GDPR compliance.
Despite that, private and permissioned blockchains have still proved to be successful in complying with the laws under GDPR. Hence, it can be concluded that blockchain might not be a perfect solution to all the overarching challenges of GDPR. But it is still, by far means, a great mechanism to control, secure, and share personal data in the long run.