Under the GDPR legislation, anyone collecting personally identifiable information of EU citizens must first get their consent. They must also respect any request to edit or remove personal information. There are simple solutions for modifying websites and applications, but what if the application cannot be edited? Blockchain was specifically built to store an immutable record of transactions. Immutability is, in fact, its primary characteristic. In this blog, we examine why this is a problem and how it is being addressed.
The problem
Blockchain technology by its very nature does not allow for the manipulation of previously-entered data. This would mean that under the GDPR, all parties involved in the collection and manipulation of the data are noncompliant. An argument can be made that since the identities of transacting parties can be anonymized, the data is not personally-identifiable. However, since anyone with the private key can decrypt the record and see the identity, this does not meet compliance standards.
Under the GDPR, personal information cannot be collected without the user’s consent, unless the information is pseudonymized. Pseudonymity is achieved when a piece of information cannot link directly to a person. With blockchain technology, all information entered into the blockchain is encrypted, and thus completely hermetic to those who do not have the appropriate hash. Still, this does not pseudonymize the data as per the specifications of the legislation, since your company still has access to personally identifiable data.
The solution
The most common solution involves storing the personal data off-chain in a separate, traditional database. A hashed record of the event and data would remain on-chain as evidence the transaction occurred. This would allow the data to be accessed and removed from the database without disturbing the transaction details. In this way, you can use the blockchain as an access control mechanism to personal user data. The real question is: is it worth it?
Much of the benefits that can be derived from blockchain technology are lost. The data is personally identifiable, and as such, it falls under the GDPR. Plus, this method complicates access to the data unnecessarily – the higher the number of parties that need to access the data, the higher the complexity of the point-to-point integration system for each member of the blockchain. On top of that, spreading information in this manner leaves the company open to more attack vectors, increasing the risk of a potential breach.
The GDPR and blockchain technology are currently not compatible. Given the nature of the blockchain, users cannot request the removal of personally identifiable information, making blockchain technology non-compliant with the GDPR.