GDPR compliance and Blockchain

There are concerns that the now-active General Data Protection Regulation (GDPR) and distributed ledger technology are incompatible, most likely stemming from the notion that, by virtue of a blockchain’s inherent public and transparent nature, it is far too accessible to be safe for enterprise use. 

This is not actually the case. While transactions can be seen occurring across the network, the data in and of itself is not stored on the blockchain – instead, a cryptographic hash is derived from the data and is then uploaded.

Blockchain-based platforms enable the storage and provenance of data to be conducted in an anonymous fashion – protocols can be built in such a way that allows for the destruction of certain data sets, in compliance with GDPR requirements. Contrary to popular belief, and given that blockchain solutions will use such a mechanism, GDPR will see increased adoption of blockchain tech.

If anything, GDPR has prompted a renewed understanding of the importance of secure data storage. It is doubtful that the legislation will interfere with existing or future blockchain systems (provided, of course, that these are truly distributed), which aim to put information back in the control of its owners.

First passed into law in April of 2016, the EU GDPR regulations came into effect on May 25th, 2018. As the EU’s response to an increasingly theft-prone personal data environment, these regulations aim to protect consumer data integrity and enforce enterprise security measures focused on such.

One of the defining features of the new regulations is that of “privacy by design”. Rather than building a system and “adding” privacy and security as a secondary concern, the EU stipulates, the system must be designed in such a way that minimizes extraneous data collection and guards that which is necessary for operations. 

Luckily, distributed ledger technology is designed to be both intensely private and equally secure.  

Firstly, the public and private key system allows participants to send and receive data with nearly perfect anonymity, depending on the application. The private key allows for access, while the public key is an address for inter-user transaction detached from any personally identifying elements. 

Additionally, by decentralizing transaction processing, distributed ledger systems remove the vulnerabilities commonly exploited in centralized data repositories. Rather than allowing for an identifiable single point of failure, a blockchain ledger makes single-breach failures a near impossibility. 

(Image credit: Creative comms)

One of the other critical features of a GDPR-compatible blockchain service is immutability. In order to rely on evidence of GDPR compliance, all parties must be able to trust that it is complete, accurate and unchanged. This can only be achieved by using blockchain to record transactions. 

When digital records, such as data transactions, events, and documents, are delivered to the platform, it creates a unique signature for each. It then stores these signatures in an unchangeable ledger, called a proof chain.  

When new evidence seals are made, the evidence owner receives a receipt with a token to enable proof certificates based on those seals to be obtained whenever they are needed. These proof certificates can verify claims for all parties involved, providing clear evidence of an action or claim.

In the increasingly regulated world of data collection, storage, and security, blockchain provides the most reliable route towards compliance with new and upcoming international regulations. The decentralized and minimally invasive nature of the blockchain platform follows new GDPR principles of privacy by design, and the immutability and availability of a proof chain implementation ensures resistance to malicious (or negligent) data corruption. 

While future political steps may complicate the landscape further, blockchain currently presents the most viable option for companies looking to ensure total GDPR compliance. 

Adrian Clarke is founder of tech start-up Evident Proof and CEO of Berkshire Cloud

Adrian Clarke is the managing director at  FUIJIFILM. He has more that 12 years of working experience. His business domain SVP for Digital Cameras, Lenses and Accessories