Global blockchain_crop

OPINION8 May 2019

Blockchain under GDPR

GDPR North America Opinion Privacy

Privacy is central to consumers and anyone working with their data; and GDPR has only highlighted this further. Measure Protocol’s Paul Neto discusses how this affects blockchain technology.

If you are in the market research space, you couldn’t turn around last year without coming face to face with some form of communication about the EU’s General Data Protection Regulation (GDPR). This sweeping regulation affected a wide number of industries, and demands for compliance kept anyone in our industry on their toes, making sure they had all their ducks in a row.

But the legislation had far-reaching implications beyond keeping us scrambling: it set the stage and upped awareness levels surrounding consumer demands for privacy and data control. 

Gartner’s latest privacy predictions focus on the role that blockchain could play in meeting these demands for transparency and customer assurance. With personal data stored by companies representing a huge privacy risk (think corporate database breaches ranging from Yahoo! to Macy’s), blockchain represents a solution to the problem by operating outside of centralised databases. Gartner predicts that the blockchain can be ‘poisoned’ and become non-GDPR compliant. 

Truthfully, there really is no such thing as GDPR compliant blockchain, only GDPR and privacy compliant applications. Sensitive user-based information should never be stored on a public blockchain. The benefits of blockchain in this environment are not around storing of user data directly, but instead providing immutable proof of permissions and transactions.

Blockchain is not one size fits all

While private, permissioned blockchains may face fewer hurdles and challenges around user data, public blockchains must draw a very clear line on how user data is handled and processed.

Blockchain projects in their purest form, such as bitcoin, are not the reality of most applications that can benefit from blockchain technologies. Some of these projects and applications have legitimate reasons for storing some data off-chain, and others are employing a technique where data is stored on the edge, directly on users’ devices.

The rapid development of blockchain-related technologies and applications make it not only imperative to approach each application with a lens for compliance, but also on a case-by-case basis to evaluate its implications. We are seeing a wave of consumer awareness around these issues, partly driven by new legislation across numerous jurisdictions – like GDPR.

What we can expect is that we are in the early days of privacy and data control legislation and that in the coming years we will see iterations as these evolve. New technologies introduce new challenges for legislation that could not have been foreseen and blockchain is no different.

New techniques are being developed and deployed. This may include storing user data off-the-chain and using the blockchain to provide access control and proof of request and permissions –  so giving claims that are publicly verifiable.

If and when data is completely erased off-chain, any links or hashes stored on the blockchain are orphaned and rendered useless. Other approaches include storing of user data encrypted directly on the user’s device and absolving any organisation of data storage in a centralised database.

While these approaches may limit some of the true benefits of either system, and a particularly problematic approach to some of the purists, it provides some incremental movement toward addressing these issues.

Regardless of the techniques used, we believe moving towards a data minimalism approach, where you only collect what is essential and avoid the tendency of hoarding data, helps absolve the need to store user data and encourages greater control for the user (e.g. storing data on their own devices).

Challenges and possible ensuing regulations aside, the basic benefits of blockchain remain:

  • Providing an unchangeable record of permissioned data disclosure and sharing, showing data ranging from denial of access, use of personal data and consent, as well as providing open audit mechanisms
  • Helping ensure privacy through emerging cryptographic activity and developments based on the blockchain technology
  • Meeting upcoming consumer demands in the new era of privacy, such as needs surrounding compliance and audits.

There’s no doubt that there are a great number of new unanswered questions, and some clear upcoming contradictions, which can only be addressed as legislation and technologies evolve. One thing is for sure, this new world where privacy is a primary objective has everyone asking more questions.

Paul Neto is chief marketing officer at Measure Protocol