Adapt Blockchain for GDPR compliance

Yes, there are ways for Blockchain applications to comply with the GDPR privacy laws of the European Union.

Data protection and privacy, among others, are two important reasons for global enthusiasm around Blockchain and why technology is transforming reliable, transparent, and traceable transactions on the Internet.

So it is ironic that much of the initial reaction on Blockchain relating to the General Data Protection Regulation (GDPR) is that the technology is unsuitable for new EU directives to improve data protection and privacy of consumers. It also happens that this is a superficial and useless misery. A closer look at Blockchain's underlying concepts and technologies reveals how the technology improves the fundamental privacy and data security aspects specified in GDPR, depending on how this solution is designed to meet the needs of the GDPR.

The challenge is adapting the new decentralized peer-to-peer Internet blockchain technology to the GDPR directives that are fundamentally based on the traditional centralized Internet approach.

Alternative Blockchain techniques enable GDPR compliance-oriented implementation. These techniques require a thorough understanding of DLP (Blocked Distribution Ledger Technology) technologies and their ecosystem. Blockchain identification management processes, such as those that store and process identifiable personal information (PII), are crucial in the design of GDPR-compliant solutions.

Addressing of immutability

One of the key principles of GDPR is Article 17 "Right to cancellation" (or "right to oblivion"). According to this GDPR principle, whenever requested, consumers can request that their personal information be deleted from their data processors (or "controllers").

However, due to the Blockchain record "immutability" principle, the data contained in the blockchain transactions are practically impossible to modify. The data is copied into peer-to-peer nodes, which function as distributed databases or distributed registers and are the main components of the Blockchain. The data that is added to the public, Blockchain without authorization is, in fact, there forever, and, technically speaking, such data, or other metadata, can not be changed. Because of the way Blockchain blocks and transactions are constructed, all information and records entered in the distributed accounting books are publicly visible, tamper-proof and immutable.

So, this immutability of data transactions is imprinted in the very fabric of the distributed accounting books make Blockchain incompatible with Article 17 of the GDPR? Not necessarily. The adoption of off-chain hybrid architectures for distributed data storage is an alternative approach to adapt to this challenge. Other alternatives require the maintenance of PII data within the user's devices, the creation of metadata and hashes of this PII information and the reference to these local data using third-party servers or the Blockchain itself. This creates different levels of compliance for Blockchain-GDPR.

To take into account Article 17, therefore, an alternative is that all information and data sensitive to GDPR could be stored off-line in distributed or cloud-based servers, with only the corresponding hashes stored in the Blockchain level. In this way, hashes act as control indicators for GDPR-sensitive data, which are stored off-line. These pointers to control are not the user data that GDPR tries to protect, but a pseudonymisation of that original data. The other database that stores the original data is not, in practice, subject to the problems concerning the immutability of the records provided by Blockchain. In accordance with article 17 compliance, the service provider may delete the "linkability" of the Blockchain hash pointer to the data present in the off-chain servers distributed when requested.

Addressing of anonymisation [19659003] Perhaps the most interesting – and most controversial – article about Blockchain's applicability to GDPR is Article 25, "Data Protection by design and by default ", which addresses pseudonymisation techniques for stored consumer data.

Hashing is the pseudonymization technique of Blockchain, and there are two critical interpretations for the pseudonym link using Blockchain related to Article 25. The first states that because the pseudonymisation of the data is accomplished in hashing Blockchain, but not in anonymity, the data link is no longer considered personal when it is established, and if this link is deleted, it also complies with Article 17. However, the second interpretation is that of the pseudonymization, even with all cryptographic hashes, it can still be connected to the original PII data. However, there may still be some mathematical evidence that the brute-force cyber-attack of off-line data linking using hashing could jeopardize this hypothesis.

The conclusion that leads to this discussion is that this problem remains a mobile target as Blockchain's innovation is accelerating, just as GDPR is about to be implemented, and major legal-technical battles are expected. The GDPR regulation must quickly adapt and accelerate the ramifications, problems and opportunities that are allowing the next generation of decentralized Internet using Blockchain technology.

You can take a look at my broader explanation of these ideas and join the conversation at IEEE Blockchain website.

Claudio Lima is vice-president of the IEEE Blockchain standard and co-founder of the BEC-Blockchain Engineering Council. He holds a Ph.D. in electronic engineering from UKC (England).

The InformationWeek community brings together IT professionals and industry experts with IT consulting, training and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experience to help our IT audience … View full biography

We welcome your feedback on this topic on our social media channels or [contact us directly] with questions about the site.

Further information

Source link