Given the numerous possible uses of blockchain technology there is a need to analyse the direct relationship between blockchain technology and the General Data Protection Regulation. The primary issue relating to GDPR compliance is whether blockchain is or can be made to be GDPR compliant.We review the challenges that that Blockchain technology offers and offer practical suggestions for using blockchain technology in a GDPR-compliant manner.
The GDPR aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The General Data Protection Regulation (2016/679) isn EU law or regulation on data protection and privacy for all individuals within the European Union and the European Economic Area. Since GDPR addresses the export of personal data outside the EU and EEA areas, the first implication may be the global, borderless data transfer of personal data.
In other words,GDPR is not a solid list of implementation and control processes. It is a framework that allows data controllers and data processors to get along with their role and responsibilities in a manner that protects the rights and freedoms of each data subject. Therefore, GDPR compliance can only be measured in a single case by case basis.
When GDPR’s rules that are implemented on old legacy systems,they are not technologically friendly, nor is the implementation technology neutral. The manner in which compliance technology is deployed to suit a particular purpose of a GDPR process, the key is to analyse whether that technology can be GDPR compliant at all. The same is the case with the new Blockchain technology.
Given the current lack of in-depth understanding of blockchain technology and the uncertainty of interpretation of the GDPR’s requirements, there is a need for a few court verdicts to reveal how the use of blockchain technology and the application of the GDPR can be evolved to ensure compliance.
DPIA and Information Security Assessments
The European Data Protection Board has stated that the use of new or innovative technology in itself does not trigger the need to conduct a DPIA. However,when any new technology is combined with another processing factor,there is a need to raise the data processing risk to a high level.
In any case, we recommend a proactive assessment using a customised data protection impact assessment (DPIA) alongside an initial information-security risk assessment(with a regular re-assessments) about the privacy implications is critical to enable GDPR compliance to blockchain technology.
Blockchain technology is subject to the GDPR is the conclusion of the EU commission.The million dollar question remains whether the Blockchain and the GDPR are compatible?Therefore a step by step approach must be conducted by monitoring a case-by-case implementation to assess for GDPR compliance.
The Blockchain technology is one of the most innovative technological systems,but it is hyped and still not well understood:
- The first step is to determine if Blockchain is the most suitable for use in a particular case.
- Evaluate whether blockchain technology you deploy meets the numerous regulatory requirements, including those on how to implement a GDPR-compliant blockchain?
- Evaluate the key factors before deciding the type of blockchain technology, including the selection of permission or permission less option. Both options have their individual strengths/weaknesses, The only option for private companies is a permission
- From a GDPR-compliance perspective, the implementation must be assessed on a case-by-case basis for GDPR compliance.
- Figure out the factors to be considered when designing a blockchain solution that strives to be GDPR compliant
10 point action plan
After the above initial considerations, there is a need to go further in the GDPR engine room to determine compliance. The following is a 10 point checklist to evaluate GDPR compliance:
- Identify the risks involved in personal processing data via blockchain technology. A data-safe solution that does not achieve commercial business goals can never be a good solution. Neither is a solution that only focuses on the achievement of business targets but disregards GDPR, and other compliance risks is an option to consider in Europe.
- About the associated data flows, define who will be able to input data into the blockchain, and how nodes will interact with each other and who will have access to the output data. If the solution is based on permission,the data controller is also required to implement measures to ensure the accuracy of that personal data and the appropriate permission levels and their granularity must be defined.
- Classify the personal data that will be used on the blockchain. Does personal data need to be involved in any transaction on the chain?
- Consider the GDPR principle of data minimisation and exclude personal data where it is unnecessary to process or store it. To clarify this step, identify the relevant risk mitigation techniques, such as zero-knowledge proofs, homomorphic encryption or secure multi-party computation.
- Defining the legal basis of processing the personal data is a crucial GDPR component. The legal basis of personal processing data may differ depending on the blockchain type used. Permission less blockchains may rely on the consent while permissioned blockchains may depend on the performance of a contract.
- Explain each implication relative to the exercise of data subject rights. If a legal basis cannot be identified and the lawfulness of the processing of personal data cannot ensure transparency, then further mitigation measures (e.g. full anonymisation) should be pursued.
- When processing personal data on the chain, define the roles of the data controllers and processors and whether these roles will be singular or with joint responsibility. The definition of functions should be set out in written data processor agreements.
- Define the governance model relative to permission less blockchains that are susceptible of the “51 percent attack” (the perpetrators control more than the half of the resources), The operators and participants should agree in advance on the allocation of resources and the consensus model to follow.
- Define the policies and procedures that allow the exercise of data subject rights, the right of access and data portability. However, the right to restrict processing and the right to be forgotten is not supported by the technology’s design. Identifying and designing the procedures that will enable data controllers to satisfy the requirements of GDPR’s Articles 12 to 23 can be a significant issue.
- Plan functional and non-functional requirements when designing a public blockchain, remember that due to the decentralised nature of the technology, a blockchain never really shuts down. Therefore assess, evaluate and mitigate the related privacy information, security and data protection risks.
Continuously assess, evaluate and improve
GDPR’s articles 24 and 32 require data controllers and processors to maintain, evaluate and improve their organisational and technical controls to mitigate the risks posed by their data processing activities. The privacy-related risks (e.g. reversal risk or linkability risk of personal data even in encrypted or hashed format); cybersecurity risks (e.g. vulnerabilities of the underlying infrastructure, the blockchain software, malicious users, etc.); and the risks related to the “no trust” environment. Implement the measures necessary to address these risks (e.g. penetration and vulnerability testing of the applied solution; examination of the data subject rights management process, data breach test simulations…)
When all of the above GDPR issues are resolved, there are further implications to be addressed at the designing stage of the blockchain. The company must be aware of the nature of smart contracts, as many of these contracts may fall under the provisions of automated decision making under the GDPR – and human intervention would hinder the advantages of the execution of smart contracts.
Sources: The NIST and the EUBOF papers on Blockchain compliance