GDPR and blockchain form a powerful intersection of emerging governance and technology trends, although their unique characteristics raise immediate concerns about their mutual compatibility. For example, one of blockchain’s most vaunted attributes is its immutability. While this is a potentially valuable characteristic for GDPR requirements of auditability and transparency, it is simultaneously in apparent contradiction with GDPR’s requirement to enable requests by data owners for deletion.
However, there are also potential use cases for blockchain technology to support GDPR compliance. For example, GDPR places an emphasis on content identification, trust and data stewardship, while blockchain is a technology with enterprise implications around guaranteeing trust and data (usage) consistency across a network of participants. Our clients are being encouraged to start up blockchain projects and adoption in part due to the enormous hype and attention the technology is currently receiving.
As relatively new legislation (enforced May 2018), GDPR represents a significant challenge for enterprises anywhere in the world that do business in or with the EU. Even without the potential impact on brand damage and customer trust levels, noncompliance may incur a sanction to the maximum of 20 million euros or 4% of the annual turnover, whichever is highest. This is why it is incumbent on security and risk management (SRM) leaders to understand not only the content, but also the intent of the legislation.
Fundamentally, GDPR emphasizes a series of individual “rights” regarding data protection, securityand decision making. Examples include:
- The right to restrict processing
- The right to erasure
- A more stringent set of characteristics relating to consent
- Similarly, as a relatively nascent technology in the enterprise, blockchain engenders a significant amount of misunderstanding and misinformation about its benefits and limitations.
We blockchain as an expanding list of cryptographically signed, irrevocable transactional records shared by all participants in a network. Each record contains a time stamp and reference links to previous transactions. With this information, anyone with access rights can trace back a transactional event, at any point in its history, belonging to any participant. Essentially, it is about adding trust to an untrusted environment, and while its inherent capabilities may appeal to SRM leaders looking to control personal data, they may underestimate the impact of blockchain on GDPR compliance.
In this context, We have identified three primary risks for enterprises subject to GDPR: scope of applicability, data location and immutability. Each of these impacts blockchain in some ways, as follows:
Scope of applicability: The blockchain protocols themselves may provide no inherent risks related to GDPR. GDPR does not address specific technology. However, blockchains may contain personal data, the processing of which may be subject to the regulation. Additionally, while blockchain uses encryption for integrity and time-stamping, payloads are usually in plain text and can be read by everyone who has access to the blockchain. This is in contradiction with GDPR’s notion of “purposeful processing,” where personal data can only be handled by authorized people in the context of specific goals.
Data location: Blockchain is a distributed technology, with data scattered across the network
(which could be geographically), all of which is visible to everyone in the network. Confidentiality settings and potential cross-border transfers of personal data can conflict with regulatory requirements (see “Transfer Personal Data Worldwide” as an introduction).
Immutability: The data stored in the blocks is statistically immutable, due to consensus. To
maintain the integrity of a blockchain, the transactional data stored in each block is immutable, as changing the data in a block would break the chain and render the entire blockchain useless. Though on the surface this contradicts GDPR requirements on the right to correct, amend and/or erase data, there are possible ways for SRM leaders to deploy blockchain and meet governance requirements.
Notwithstanding these caveats, We believe blockchain represents a global-scale technology transformation of business, economics and society. As such, enterprises should at least consider it as part of their future technology plans, especially in the burgeoning digital business era. Further, while the GDPR presents some challenges, it is by no means insurmountable. It is crucial that SRM leaders are aware of these considerations, and implement any measures to ensure that their blockchain project is compatible with GDPR requirements before someone in an official capacity tells them that it isn’t.
At its core, the use of any enterprise-sanctioned blockchain that contains the personal data of people in the EU will be subject to the GDPR. In this context, the GDPR will affect not only EUbased organizations, but many data controllers and processors outside the EU (for explanation of these roles, see “GDPR Clarity: 19 Frequently Asked Questions Answered”). Such is the breadth of the legislation that many enterprises and organizations may be subject to GDPR without knowing it, which is why three fundamental questions help SRM leaders identify their exposure. Answering yes to any of the following indicates that the GDPR might apply to your organization:
- Do you offer goods or services to people in the EU?
- Do you profile or monitor behavior (including online activity) of people residing in the EU?
- Do you process personal data on EU residents on behalf of a company based in the EU?
Under the GDPR, enterprises will need to demonstrate accountability for all processing activities. In this context, an enterprise blockchain endeavor will require the same level of stringency that all data processing activities in the enterprise require, and given blockchain’s distributed nature and the near certainty for cross-border data flows, possibly even more.