The Role of Blockchain in GDPR

Posted by Arup Das on February 5, 2018

Will blockchain technology help organizations comply with the new GDPR standards? First we need to define what both are.

What Is GDPR?

General data protection regulation (GDPR) is a European Union legislation that is designed to strengthen and unify data protections well as give greater protection and rights to individuals. It is set to be enforced starting in May 25, 2018 and will be replacing the 1995 European Union’s Data Protection Directive. There are two new concepts that are being introduced in the GDPR legislation: provision for data portability (person should be able to transfer their personal data from one electronic processing system to and into another without being prevented from doing so by the data controller and the right to be forgotten (right to erase their data).

What is blockchain technology?

A blockchain is a distributed ledger technology (DLT) in which transactions between two parties are efficiently recorded in a verifiable and permanent way. It allows the transactions of data without the need for trust (removal of the third party) or for a central authority.

Blockchain vs. GDPR

Some speculate if blockchain will help organizations comply with the new GDPR data management standards. The GDPR will mainly focus on three areas: data storage, personal data management, and data portability.

GDPR will cause companies to reconsider how they use and manage data. Any company that has data related to EU citizens or residents will be affected. GDPR mandates that data controllers enforce “data protection by design and default.” This means that data controllers should not rely on third party security systems to protect their data. A blockchain would be perfect for this because there is not a single point of failure from which records or digital assets can be exploited. Not only will the data will be secure be design, blockchains are distributed, so no one will have central control over the data. Therefore, financial transactions or the transfer of data will be constantly audited to ensure authenticity. The usage of public and private keys will also help in securing information, in addition to offering total personal data management. However, some aspects of blockchain does not comply with the new standards of GDPR. Once a block of data is added to a blockchain through the process of mining, it is immutable. It is nearly impractical to delete or alter the data, making it highly unlikely. This collides with the right to be forgotten standard. 

"One solution is to encrypt the personal information written in the system, to ensure that, when the time comes, forgetting the keys will ensure that sensitive information is no longer accessible. Another possibility is to focus on the value of blockchain to provide unalterable evidence of facts by writing the hash of transactions to it, while the transactions themselves are stored outside of the system. This maintains the integrity of transactions, while enabling to erase the transactions, leaving only vestigial traces of forgotten information in the blockchain.”- Deloitte Blockchain & Cyber Security

In conclusion, the technology behind blockchain has not been developed enough to be compatible with the GDPR. However, the potential of blockchain has allowed the design of blockchain to be altered to align itself with the GDPR issues.