How to address the Dissimilarities between GDPR and Blockchain
The complexities of GDPR both in implementation and enforcement means that old technologies and internal legacy systems with inundated IT platforms cannot solve the GDPR complexities. With the emerging blockchain technologies, there are new avenues to further strengthen data-ownership, transparency and trust between entities and to address the most critical GDPR issues. However specific components of the GDPR regulation prohibits the stash of data directly on the current blockchain technology since in GDPR terms ‘the data is not erasable’.
There continues to be a lot of hype and talk about GDPR, but very few are talking about the material technology and the related functionality to adequately protect the personal data and provide or allow the data subjects the opportunity to control it.
The technologies lack innovative approaches to improve personal data transactions or multi-factor authentication which the data subjects can control. This is because the focus is not originated by IT who focus primarily on how to validate their IT systems and databases while the rest of the stakeholders focus on the legal aspects.
The excessive focus on legal processes perhaps prohibits us from using the available technology to its full potential. The result is our excessive reliance, on old systems for storing data without using the benefits of, e.g. blockchain technologies:
Simplified off-chain GDPR compliant structure
- Who owns the data in your off-chain storage?
- Is the off-chain data even encrypted?
- Who can access this data?
- Where is it stored? Is it already copied to other systems?
Many companies are working with big data analytics or sensitive data by struggling with the GDPR recitals with complicated workarounds. Like in most dilemma It is possible to find implementation or development solutions within the legal GDPR Framework and still achieve the benefits of, e.g. #blockchain. Since we do not believe that regulators should or will review or amend the GDPR articles or recitals shortly (except acknowledging the fact the data transfers knows no boundaries), GDPR will require the use of Blockchain by adopting a better approach to Blockchain architecture.
The blockchain is transaction oriented, and not database oriented so use one of Jiri Kram’s phrases. Therefore the solutions are:
- to anonymise, personal data is an option to stay out of GDPR scope.
- to answer what evidence you need on Blockchain and what not remembering the primary reason for the successes of Blockchain.
- GDPR is about infrastructure to protect the rights of the data subject and avoid breaches, and the future Blockchain architecture and solutions will be GDPR oriented
- avoid using a public chain and use another alternative that was designed with GDPR and other EU laws in mind.
Optimise technology to tackle the immutability of transactions issue
Given the showstoppers, confrontations and dissimilarities between the prerequisites of GDPR and Blockchain, because blockchain is transaction oriented and not database oriented to store personal data, therefore storing personal data on the current blockchain technology is not a clear option for GDPR.
The Copenhagen Compliance and EUGDPR Institute team is currently working on a GDPR solution in the data cloud that is a decentralised data storage system based on both database and data transactions using the blockchain technology. The new solution will store the user-defined GDPR data with a secure perpetual or sporadic (mutable or immutable) method of storing, retrieving, publishing or deleting (burning) data with a time stamp.
The General Data Protection Regulation, or GDPR in short, will become enforceable from 25 May 2018 and has a significant impact on organisations. Therefore, we are currently working on the blockchain architecture that is compliant with GDPR.
These and other relevant solutions are discussed in our global seminars. https://www.eugdpr.institute/events/