On March 25th, 2018, the GDPR came into effect and with that came stiff fines and restrictions on companies that process and control data. The regulations are aimed at protecting EU citizens from companies and bad actors who want to harvest and use personal data unscrupulously. Some of the provisions of the GDPR towards individuals include the following rights:
- right to erasure,
- right to rectification,
- right to data portability
- and the right to object processing of personal data.
With that in mind, a good number of businesses have been working to ensure compliance with the EU GDPR laws. For businesses that use or plan to use Blockchain networks for their customer data management, the question of whether enterprise Blockchain applications can comply with EU GDPR laws is still unanswered – additionally to other regulations for crypto in the country. In this post, we aim to come closer to explaining whether and how it is possible to design a GDPR compliant Blockchain.
Blockchain and GDPR
First of all, is it even possible to design a GDPR compliant Blockchain? Well, given that the GDPR laws go against the grain of the nature of Blockchain technology, experts agree that compliance is certainly difficult but not at all impossible.
According to Akshay Sharma, an analyst at neXt-Curve (an advisory firm), auditing is key, and businesses can achieve compliance with GDPR by “leveraging Hybrid Public and Private Blockchain Technology, with permission-based controls”.
He further mentions that “Blockchain technology can facilitate the managing and auditing process of personally identifiable information by leveraging its underlying encryption capabilities, logging of all transaction, policy controls within its smart contracts and resiliency within its highly replicated architecture”.
Therefore, if companies conduct thorough risk management with a complete understanding of Blockchain‘s infrastructure and its vulnerabilities towards compliance with GDPR, they could re-configure the Blockchain architecture to fit their needs.
With that in mind, let’s take a look at some of the ways Blockchain can be configured to remain GDPR compliant.
Choosing between changing regulations or the Blockchain
To begin with, Blockchain’s essential architecture makes it impossible to delete data. All the information entered on the blocks is immutable meaning it cannot be edited or deleted. Therefore, the only viable solution around this question of immutability is to either convince regulators to redefine their meaning of erasure or find a way to make data on the Blockchain completely inaccessible.
Since influencing the EU parliament to amend the meaning of the term “erasure” might take a lot of lobbying and court debates, let’s take a look at how Blockchain can be configured to achieve compliance.
According to the GDPR, personal data entails any data that is identifiable to the individual. In fact, the GDPR provisions only provide a surface definition of the word “erase.” Therefore, in the absence of a clear-cut definition, most businesses will have to approach the matter on the basis of legal conformity.
Next, let’s take a look at several solutions to consider.
Personal data encryption and the Hashing Function
The hashing function is one of the most fundamental aspects of Blockchain technology. It refers to the transformation of data to an unrecognizable format through an irreversible process. The understanding with the GDPR provisions is that if data can become anonymous then it falls outside the jurisdiction of personal data. Hashing can be used to make personal data anonymous thus lifting the requirements set up by the GDPR. The downside with this strategy is that even though it makes practical sense, the theory of attackers performing a brute force on the encrypted data still stands. A brute force attack is an attack on the encrypted data whereby the attackers run a program that undertakes extremely large guesses in an attempt to break the encryption and reverse it. Although it a completely difficult task, in theory, a brute force attack can actually break the encryption.
Keeping personal data off the Blockchain
All GDPR sensitive data can be stored off the chain to ensure compliance with the GDPR laws. Once the data has gone through the hashing process, the actual documentation can be stored on a cloud-based server while the hashes remain on the Blockchain. Since the hashes are unreadable, they will perform the function of pointing back to the personal data on the cloud while maintaining anonymity. The hashes simply act as control pointers that are not subject to GDP’s regulations and therefore information on the personal data can be edited or even removed without changing the structure of the Blockchain. Keeping the data off-chain also solves the problem of privacy as required by GDPR. All personal data needs to be in the control of the subject. Keeping the actual data off the Blockchain keeps it out of reach of the decentralized public on the network.
What about adapting a Hyperledger platform?
A Hyperledger platform operates pretty much like a Blockchain network but with a few differences. Basically, a Hyperledger is an umbrella open source project of Blockchain that seeks to modify and develop the original open-source Blockchain for enterprises. There are various Hyperledgers currently being developed however one of the most outstanding projects is Hyperledger Fabric. This platform allows businesses to use smart contracts, programmable mechanism and pluggable modular protocols that make Blockchain applicable for any enterprise needs.
The modular architecture of the Hyperledger Fabric, in particular, features a channel system that allows participants on the distributed network to communicate exclusively. This means participants can share information on the network without that information being public. Furthermore, you can program your own network with pluggable protocols and smart contracts so as to fit the specific needs of your company.
Apart from the GDPR laws, Blockchain based companies must prepare for more regulations from different institutions and government institutions around the world. So far, most stakeholders believe that compliance between GDPR and Blockchain is difficult and almost impossible. But, as you can see, there is an opportunity for exploring different possibilities towards designing a GDPR compliant Blockchain. After all, Blockchain has already proven to be an innovative technology that can improve transparency, data security, and interoperability. As long as lawmakers, enterprise owners, and developers work hand in hand, a viable solution can be achieved.