Menu
News.

How blockchain can help implement Privacy by Design

Published On: 2nd November 2018

How blockchain can help implement Privacy by DesignBlockchain and the GDPR has been the focus of much attention, particularly around the assumption that the technology is not compliant with the regulation.

However, the issue is not that simple. Although the fact that blockchain records cannot be modified or deleted means that using them to record unencrypted personal data is highly likely to be incompatible with the GDPR’s ‘right to be forgotten’, the technology can be a powerful tool to help organisations implement compliance.

Examples where blockchain technology can be used to support the GDPR’s Privacy by Design principle include:

Decision traceability

A key change under GDPR is the introduction of the accountability principle which means that organisations must be able to demonstrate and explain why they have taken a specific decision regarding the use of personal data.

The tool highlighted by the GDPR to meet the requirements of the “accountability principle” is a Data Protection Impact Assessment (DPIA) although this is is not the only possible method.

The requirement to record and document every action or decision taken in respect of data protection governance is an area where blockchain can be used internally to record and demonstrate that the relevant stakeholders have been involved at the right time, and to record the decision-making process.

A new chain can be set up from the outset of the development of a product, very much in keeping with the ethos of Privacy by Design.

Consent recording

Another challenge under the GDPR is affirmative consent. The strengthening of consent requirements means organisations need to be able to record and demonstrate they have captured valid consent.

This is sometimes difficult for many reasons, principally that the design of a system or a database is not tailored to meet such an obligation.

Another challenge is capturing and recording consent. Blockchain is unlikely to be helpful where consent is provided in a phone call  without implementing solutions that would be even more challenging in terms of compliance (such as recording the relevant section of the phone conversation in the chain).

However, for any other method – especially online – blockchain could be used to demonstrate valid consent.  Rather than recording directly in the chain that a particular individual has provided valid consent on a certain date,  a random reference number could be assigned and recorded to show they provided consent at a particular time. This would enable organisations to also record when consent is withdrawn.

Such a solution may not be the most appropriate for all situations and it is important not to use blockchain just for the sake of it. But blockchain is of particular interest if organisations deal with special categories of data (eg  where covering racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or sexual orientation), and the only legal basis for processing such data is explicit consent.

Action recording

The final – and perhaps most interesting – potential application of blockchain is the ability to record any action performed on a personal data asset, particularly when acting upon a data subject’s request.

This is not only useful to keep track of any event happening on a data asset, as any traditional logging system would do, but it can also be used to demonstrate that the right actions have been taken at the right time by the right person.

This could be useful for businesses with particular exposure to access requests. For example, credit reference agencies receive a large number of subject access requests and with a high probability of getting claims to a supervisory authority following a request. Being able to record actions and demonstrate beyond doubt that they have taken certain actions is highly valuable.

Of course, blockchain shouldn’t be applied directly on a personal data asset. Organisations will need to use innovative cryptographic technologies that keep track of the data asset without recording the data itself in the chain, such as cryptographic hash function as recommended by the CNIL (French Data Protection Authority).

Conclusion

These examples – and there are many other possible applications – help to approach the blockchain/GDPR relationship from another perspective. By applying lateral thinking, a technology which at first glance is not compatible with the GDPR can become one which is able to provide strong and reliable solutions to support compliance.

Article Author.

Samuel Plantie

Senior Data Protection Consultant
Samuel is a Senior Data Protection Consultant in the Data Protection Team at Gemserv. He has a PhD in Law... Read More From Samuel Plantie

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.

 

View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Every now and then, Gemserv would like to send you information about our products and services that are relevant to you. By submitting your details lets us know that you’re OK with this and that you also agree to our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Services Our Insights Careers