Blockchain and the GDPR has been the focus of much attention, particularly around the assumption that the technology is not compliant with the regulation.
However, the issue is not that simple. Although the fact that blockchain records cannot be modified or deleted means that using them to record unencrypted personal data is highly likely to be incompatible with the GDPR’s ‘right to be forgotten’, the technology can be a powerful tool to help organisations implement compliance.
Examples where blockchain technology can be used to support the GDPR’s Privacy by Design principle include:
A key change under GDPR is the introduction of the accountability principle which means that organisations must be able to demonstrate and explain why they have taken a specific decision regarding the use of personal data.
The tool highlighted by the GDPR to meet the requirements of the “accountability principle” is a Data Protection Impact Assessment (DPIA) although this is is not the only possible method.
The requirement to record and document every action or decision taken in respect of data protection governance is an area where blockchain can be used internally to record and demonstrate that the relevant stakeholders have been involved at the right time, and to record the decision-making process.
A new chain can be set up from the outset of the development of a product, very much in keeping with the ethos of Privacy by Design.
Another challenge under the GDPR is affirmative consent. The strengthening of consent requirements means organisations need to be able to record and demonstrate they have captured valid consent.
This is sometimes difficult for many reasons, principally that the design of a system or a database is not tailored to meet such an obligation.
Another challenge is capturing and recording consent. Blockchain is unlikely to be helpful where consent is provided in a phone call without implementing solutions that would be even more challenging in terms of compliance (such as recording the relevant section of the phone conversation in the chain).
However, for any other method – especially online – blockchain could be used to demonstrate valid consent. Rather than recording directly in the chain that a particular individual has provided valid consent on a certain date, a random reference number could be assigned and recorded to show they provided consent at a particular time. This would enable organisations to also record when consent is withdrawn.
Such a solution may not be the most appropriate for all situations and it is important not to use blockchain just for the sake of it. But blockchain is of particular interest if organisations deal with special categories of data (eg where covering racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or sexual orientation), and the only legal basis for processing such data is explicit consent.
The final – and perhaps most interesting – potential application of blockchain is the ability to record any action performed on a personal data asset, particularly when acting upon a data subject’s request.
This is not only useful to keep track of any event happening on a data asset, as any traditional logging system would do, but it can also be used to demonstrate that the right actions have been taken at the right time by the right person.
This could be useful for businesses with particular exposure to access requests. For example, credit reference agencies receive a large number of subject access requests and with a high probability of getting claims to a supervisory authority following a request. Being able to record actions and demonstrate beyond doubt that they have taken certain actions is highly valuable.
Of course, blockchain shouldn’t be applied directly on a personal data asset. Organisations will need to use innovative cryptographic technologies that keep track of the data asset without recording the data itself in the chain, such as cryptographic hash function as recommended by the CNIL (French Data Protection Authority).
These examples – and there are many other possible applications – help to approach the blockchain/GDPR relationship from another perspective. By applying lateral thinking, a technology which at first glance is not compatible with the GDPR can become one which is able to provide strong and reliable solutions to support compliance.