Updated: Apr 13, 2020
Before we discuss the effect of blockchains on GDPR, let us first define what a blockchain is.
Blockchains are a list of records that continuously grow, we call these records the ‘blocks’ which, through the help of cryptography, are linked and secured. Please go ahead and google the word for a more comprehensive explanation.
The problem with blockchain is that it is a double-edged sword for data protection.
Blockchains are distributed and decentralized. This would mean that it is impossible to trace the person that is responsible for the data. Furthermore, blockchains are accessible to everybody because they’re public. Last but definitely not least, blockchains cannot be edited therefore changes to personal data cannot be done.
That was just some of the advantages and disadvantages of blockchains. Now if we put GDPR into perspective, this will be a lot of hard work for compliance.
There have been mixed responses about blockchains from people using them.
Some people aren’t convinced how they can be effectively leveraged for use with GDPR as they believe that data subject’s rights are harder to guarantee when using blockchain.
As we all know by now, GDPR is and will always be about protecting the rights of data subjects. This is a good thing for blockchains because it protects personal data by making it close to unidentifiable. However, GDPR demands way more than just the protection of rights. The regulation includes right to access in order for incorrect data to be corrected which, as aforementioned, does not sit quite well with blockchains. This is because once a data will be input to the blockchain, this will then be impossible to erase and/or edit which conflicts GDPR’s ‘right to erasure’ and ‘right to be forgotten’. To make the situation harder for blockchains, the anonymity of a data subject would make it harder to access data or to even correct for that matter.
To add up to the dilemma involving blockchains, the controller of the data in blockchains is unknown making it hard to comply with GDPR as the regulation requires the identity of controllers. The goal of GDPR is to always disclose the identity of the person processing their data. But according to some, the silver lining on this is that the power is now in the hands of the data subjects rather than the controller.
According to the 3rd article of GDPR, a single blockchain may have multiple computers involved that are located in several countries:
THIS REGULATION APPLIES TO THE PROCESSING OF PERSONAL DATA OF DATA SUBJECTS WHO ARE IN THE UNION BY A CONTROLLER OR PROCESSOR NOT ESTABLISHED IN THE UNION, WHERE THE PROCESSING ACTIVITIES ARE RELATED TO:
(A) THE OFFERING OF GOODS OR SERVICES, IRRESPECTIVE OF WHETHER A PAYMENT OF THE DATA SUBJECT IS REQUIRED, TO SUCH DATA SUBJECTS IN THE UNION; OR
(B) THE MONITORING OF THEIR BEHAVIOUR AS FAR AS THEIR BEHAVIOUR TAKES PLACE WITHIN THE UNION.
With this in mind, blockchain has now become more complicated than it is of help. This is because with multiple data controllers involved, and let alone can be located in different parts of the world, jurisdiction will be harder to establish. With GDPR’s 3rd article, it can now be deduced that blockchain users will be required to be compliant even when the controller is outside Europe.
GDPR requires impact assessments of on data protection during pre-processing. Although some blockchains are used for non-personal data, some of them are specifically used for personal data. For the ones that do use blockchains for the latter, a DPIA will be required. Theoretically, blockchains are extremely secure. Companies who use this will, however, need evidence to prove that the system is more than stable. This is done by comparing their systems with the traditional cloud-based ones and how vigorous it is as a comparison. With blockchains having multiple cryptographic layers, it does seem more vigorous, however, companies may be asked to provide in-depth and comprehensive proof of this for GDPR.
When it comes to identity management, people are still conflicted and have a split response to blockchains. Those who are against it states that blockchains work without identity. On the other hand, people claim that data subjects are the driver of their own personal data and can control the extent of the data that they will share.
In conclusion, despite the division that blockchains have received about its use in GDPR compliance, it is a technology that is used and will be here to stay for the foreseeable future. Rest assured that we will still hear and read more about GDPR and blockchains interacting with one another for some time…