• GDPR Blockchain And Cryptocurrency: Data Privacy

    How does GDPR affect the Blockchain and Cryptocurrency?

    Blockchain and Cryptocurrency With GDPR now a recognised data privacy regulation, organisations both large and small have been affected and will result in larger impacts for individual businesses. The ethos behind Blockchain and crypto-currency are very much affected, how do you make these innovative architectures GDPR compliant?

    Blockchain and Cryptocurrency

    The fundamental logic behind the Blockchain is its security and encryption that makes data unreadable to others without the decrypt key, which will return the encrypted data to its original context. Transactions once written to the Blockchain cannot be changed; the transaction cannot be deleted, as this would corrupt the Blockchain.

    With the Blockchain, an individual can review the complete audit trail of the cryptocurrency transactions for example; this gives complete transparency to all blockchain and cryptocurrency transactions that are written to the public Blockchain. Transparency on private Blockchains is different, as access becomes limited to those with access to the private key.

    Blockchain and Persistent Storage

    CreateRetrieveAppendBurn, this is the methodology of storage on the Blockchain. Once a transaction is written to the Blockchain, it cannot be deleted or cancelled, the Blockchain can only be appended to, and existing data remains unaltered.

    Therefore, in the manner that cryptocurrency such as Bitcoin or Etherium is transferred, the action cannot be changed once the transaction has been committed to the Blockchain. This does imply cryptocurrencies if stolen or illegally transferred, as it is not possible to undo these actions.

    The GDPR Implications

    The regulations and rules of the GDPR are well documented with one of the fundamental values of the GDPR is the right to have your personal information erased. Another key element of the GDPR is the regulations behind how your data can leave the EU.  With websites, for example, this can be easier to manage, but with the Blockchain and cryptocurrency, this becomes more complex as there is no control over where the nodes of the Blockchain are hosted.  These nodes could be anywhere worldwide!

    When the GDPR Regulations were formalised, Blockchain was in its infancy as it is likely this was not fully considered by the decision makers.  The GDPR Regulations presumed it would always be possible for data privacy to be deleted. With the data written to the Blockchain, this is most certainly not the case.

    Making the Blockchain and Cryptocurrency GDPR compliant

    GDPR certainly has an effect on what can be stored on the Blockchain. In line with the GDPR Regulations, personal data should not be written to the Blockchain, as the data cannot be amended or erased once written. A possible solution for Blockchain and cryptocurrency transactions is that the personal data is not stored on the Blockchain, but personal data is stored externally to the Blockchain but linked by a reference generated on the Blockchain.

    An example of how this GDPR, Blockchain, Cryptocurrency workaround may work is described below.

    1. A company has their software systems which store transactional data on the Blockchain.
    2. The company needs to ensure they are GDPR compliant, so it is necessary for personal information related to cryptocurrency transactions to be stored outside of the Blockchain, but retain a high level of security.
    3. The software system sends a request for the personal data; the request is verified and checked to ensure it has the permission to view the data.  If the request is valid, a link is returned that will send the software a key to access the data that is stored offline.
    4. With the link to the personal data, it is possible for the software to update the personal information or erase if requested, ensuring GDPR compliance.
    5. With regard to the blockchain and cryptocurrency transaction, the system can verify that the data has not been corrupted or tampered with by comparing the hash value of the retrieved data and the hash value provided by the Blockchain. If the two hash values match, this is the confirmation the data privacy is valid and has not been tampered with.

    Are these workarounds beneficial?

    These approached cannot be as efficient as writing and obtaining personal information directly from the Blockchain. These options are only considered in order to comply with the GDPR Regulations.

    What are the benefits?

    •  These workarounds can ensure that the method is completely GDPR compliant.
    •  It becomes possible to erase information in line with the GDPR Regulations, creating the necessary flexibility in the Blockchain and for cryptocurrency transactions.

    What are the downsides?

    • Transparency of data that is key to the Blockchain is reduced. Once data is stored offline, it is no longer easy to identify who has access to the data.
    • The ownership of data stored on the Blockchain is no longer so clear.  Once data is stored outside of the Blockchain, the ownership of the data is no longer so clearly identified.
    • It is still necessary to have P2P integration.
    • For each new company added to the system, it is necessary to add a new P2P connection.
    • The Blockchain functions differently to its designed usage. The Blockchain becomes a lookup table for referencing other data, rather than the infrastructure for storing transactions such as cryptocurrency.
    • With data spread across different entities, there are higher risks of security breaches or personal data being compromised, especially. When considering high-value transactions that could exist with cryptocurrency.
    • The process becomes more complicated.  The more complex processes become, increase the risk of errors and systems that are more risk to security issues.

    The GDPR Goal

    The GDPR aims to return the ownership of data to the individuals.  One of the critical elements of the GDPR is the right to have your data erased. The Blockchain relies on the encryption keys, by no longer having access to the encryption keys, this makes the data inaccessible. But this is still not sufficient to be classed as data erasure, as the personal data. Would always be stored on the Blockchain.

    Conclusion

    With the Blockchain, technologies continuing to evolve and cryptocurrency become a feature of everyday life. GDPR gives us the opportunity to improve individuals ownership of their data. Improve trust with third parties that may hold their data. To ensure GDPR compliance, there is no simple way to store personal information on the Blockchain and retain GDPR compliance, with the need to be able to delete or update personal information. As things stand, this will limit how the Blockchain technology can be fully utilised, meaning that more dated technology must continue to be used to store the personal data that cannot be stored on the Blockchain.

    Unfortunately, this approach takes away so many of the obvious benefits of the Blockchain, including:

    • How secure is the data stored outside of the Blockchain?  Is this data encrypted?
    • How easy is it to access the data outside of the Blockchain. The Blockchain offers the best platform for security and data storage
    • Who owns the data when it is not stored on the Blockchain?
    • Is this data stored in other locations, who have access to this data and has this been shared with others, in the EU or outside of the EU?

    There are many things to consider; maybe the GDPR will be amended in the future to incorporate the Blockchain and cryptocurrency into its GDPR compliance directive.

    Listen to Article

    Seers Guide to Cyber Security

    Getting hacked is a nightmare. This essential guide teaches you

    • How to prevent Cyber attacks
    • Discover how to Protect your Business
    • How to contain damage & minimize your risk

    Sign up to Download