How Blockchain Can Comply With GDPR Standards

How Blockchain Can Comply With GDPR Standards


Privacy of personal data and information is on the charts for discussion; governments and regulatory bodies have enacted data protection laws and general privacy best practices. In the web2 format of information exchanges, it’s not easy to control personal data leakage, hence the laws were tightened and compliance laws became mandatory. The most comprehensive data privacy law in the European Union’s General Data Protection Regulation (GDPR), defines in detail how to collect, store and share data with third parties. Non-compliance with the law results in severe penalties and legal actions.

The nature of blockchain is such that the data is transparent and transactions are recorded on a public blockchain, which may sound contradictory to the requirements of data privacy. Blockchain, also known as distributed ledger technology (DLT) is a decentralized, distributed, immutable, and incorruptible digital ledger stored on a public network and maintained by a decentralized network of computers that ensures data is stored in the blockchain is always accurate and transparent.

Although keeping data on a decentralized ledger with blockchain adds an extra layer of security, several of its concepts may conflict with the current General Data Protection Regulation (GDPR), and the debate on whether blockchain technology is compliant with the law is ongoing. If everyone can see the data on DLT due to the transparency feature, how will blockchain technology comply with GDPR?

What Is GDPR?

The European Union's new General Data Protection Regulation, or GDPR, which came into effect on May 25, 2018, has made it nearly impossible for companies to conduct business without being held accountable for the personal information of their customers and employees. To comply with GDPR, companies must disclose how they collect, use, and store personal information.

Concerns about the usage of personal data have long existed, and the use of consumer data to deliver online services and information has become commonplace. However, consumers are not aware of how their data is utilized by these online service providers. To protect consumer data, the General Data Protection Regulation (GDPR) of the European Union has set some ground rules;

  • Businesses must provide enhanced transparency regarding how their customer data is being used.
  • The right for users to delete their identity or profile from a particular web platform without leaving any information behind.

If any organization fails to adhere to GDPR compliances, they are subjected to a penalty depending on the organization's turnover. The GDPR rules are for the European and non-European countries that provide goods and services for EU citizens.

Contradiction - GDPR And Blockchain

GDPR compliance is required everywhere, where a person submits data, and blockchain is no exception to this.

  • GDPR tries to regulate data and blockchain's intrinsic attribute of the data distribution to all network members to achieve decentralization.
  • GDPR specifies that individuals have the right to have their personal information deleted when necessary. Whereas, blockchain is immutable to ensure data integrity in the network and it is transparent, as well as, once deployed, can not be changed or removed.

GDPR and blockchain are pursuing two different goals, but the current focus is on determining how blockchain can serve GDPR's essential principles.

We all know that there are different types of blockchain. In a public (permissionless) blockchain, data is available to anybody in the network, whereas private (permissioned) blockchains allow access to only a restricted number of users. Another option is consortium blockchains, just like private blockchains but have one significant difference: participants can set the level of authority for each operation in the network. As a result, it is possible to identify someone directly or indirectly.

Users of blockchain technology quickly discovered that the GDPR applies to them, and the GDPR is more specific to how blockchain technology obtains data from its users. To oversee this issue, the CNIL, Commission Nationale Informatique & Libertés, the French Data Protection Agency, came up with a report featuring these issues and possible solutions that blockchain technology can reach.

What Is The Balance Between GDPR Requirements And Blockchain Features?

As consumers become more aware of the privacy implications of the data they share, companies can no longer ignore the fact that they must be highly cautious when protecting their customer data. For many, this could mean choosing between a world that gives them all the data they want and a world that protects their privacy more effectively.

Many companies are exploring solutions using blockchain features to achieve GDPR objectives. Hyperledger Fabric uses Off-chain storage to store personal data. Only the URL and the hash value of the personal information are recorded into the blockchain. When an individual requests information deletion, the request is fulfilled by deleting the information in the external database. The data is stored on the blockchain in such a way that it contains no personal information or information that blockchain participants might use to identify a person to comply with GDPR. Thereby, the personal information is stored only in an external database that is cryptographically encrypted, and it is never shared with the entire company network.

Blockchain regulation is a topic that deserves in-depth research, analysis, and discussion. Undoubtedly, regulation is an integral part of the blockchain ecosystem also. Blockchain developers should produce blockchain applications that are free of legal entanglements. In the coming years, we'll see a GDPR-compliant blockchain that can manage personal data requests without causing any interruptions in a decentralized data exchange on a blockchain network.