Blockchain and GDPR: Can they get along?

Blockchain promises immutable records. GDPR promises the right to be forgotten. How will this work out?
500 readers like this.

Blockchain ranks right up there as the tech hype darling of the moment. Though blockchain is much less mature than say, AI, IT leaders are keeping a  close eye on how blockchain may reshape vertical markets (such as finance) and functions (such as supply chain). Now some industry watchers are asking whether blockchain is headed for a bit of a collision with the European Union’s  General Data Protection Regulation (GDPR). The GDPR privacy regulations take effect today, May 25, and are applicable to many US and multinational organizations. They are the most sweeping privacy change most IT leaders have encountered to date, complete with potentially hefty fines.

What is the potential clash between blockchain and the privacy manifesto?

As Red Hat technology evangelist Gordon Haff recently noted, blockchain’s first characteristic that makes it an interesting fit for business applications is immutability. “Once something has been put on a blockchain, it can’t be removed or altered,” Haff notes. That’s one reason blockchain has captured developers’ imagination for legal, financial, and supply chain uses, he adds.

GDPR, on the other hand, promises an individual’s right to be forgotten – to have personally identifiable data removed. One benefit of this for a consumer might be that after a breach, you would no longer have to worry about what password you used in that long-forgotten service or online store, for example. 

[ See our related story: What is GDPR? 8 things leaders should know. ]

What areas should IT and business leaders be watching for as GDPR takes effect, with regard to blockchain? Here are five items to watch:

Much depends on the regulators' behavior:

How much blockchain and GDPR clash depends on what regulators pursue – and that will start to play out beginning today, May 25. “Like many other things associated with GPDR, the immutability of blockchain may be a real issue. Or it may not be,” says Haff. 

“One option is to store personally identifiable information off the blockchain itself – that is, use the blockchain to store the transaction, but not all the details of the transaction,” Haff says. “But that at least partially defeats the purpose of using an immutable blockchain in the first place. Alternatively, personal data on the blockchain could be encrypted with a private key that could be revoked on request or after some interval.

“What we can probably safely say is that immutability should be taken into account when deciding what data is to be stored,” Haff adds. “Simply deleting a database record at some future date isn’t really an option with blockchain.”

Blockchain is a toddler

“It’s not uncommon for new technology and regulatory regimes to be incompatible,” says Simon Langton, VP of professional services,  Avecto. “We can see this going on today around technologies like self-driving cars and regulatory systems around transport safety.” 

[ Where will GDPR affect your organization? See our related story: GDPR: Biggest pain points, now and later.]

“We saw something 20 or so years ago as strong cryptography became widely used in SSL, where it had previously been regulated like a munition as a legacy of the Second World War and the Cold War,” Langton adds. “Generally, the regulations are updated too.”

GDPR is just taking effect May 25 and blockchain itself is still quite early in its maturity cycle. As Irving Wladawsky-Berger of the MIT Initiative on the Digital Economy declared at the 2017 MIT Sloan CIO Symposium, “The Internet of the early to mid 90’s was really crappy. The Internet we are really happy with today took another 15 years to get there. We’re at the toddler stage [with blockchain]. Foundational technologies take a long time."

GDPR will have exceptions

Blockchain and the GDPR regulations “can co-exist for enterprise-class data and for processing, but there has to be a master data philosophy,” says James Stickland, CEO,  Veridium. “It would be nice for GDPR to have a seniority on safety for the right of the users.”

There will be exceptions: “On the surface, it would seem [blockchain and GDPR] are in direct conflict,” says Marc French, chief trust officer and data protection officer, Mimecast.  “However, the “right to be forgotten” has several carve-outs which allow organizations to refuse to delete data that is held for other legitimate business purposes.”

For example, “If you look at something like bitcoin blockchain, which is an immutable record of a financial transaction, you could make the argument that the legitimate business interest is around something like preventing money laundering, which would, in my opinion, trump deleting a record,” he says. 

But other implementations of blockchain technology may not have the same defensible position, French adds. “In these ‘less defensible’ cases, blockchain core precepts definitely conflict with GDPR subject access rights,” he says.

Your organization’s risk and legal experts will be balancing compliance costs, company values, and risk in these cases, as they do with other regulatory issues.

Forgotten may not mean permanently anonymous

“With GDPR and blockchain, it is unclear if a user can truly be forgotten, as opposed to permanently anonymous with no ability to tie the blockchain back to a specific user and data exchange event,” says Mayank Choudhary, vice president, ObserveIT. This is an area of concern, he says, as organizations consider how to apply blockchain and shape controls for blockchain ledgers. 

Auditing activity likely to be light at first

“The headlines focus on the financial ramifications of non-compliance; however, there is a lot of latitude in the regulation as to how and whether an organization will be fined,” Choudhary says. “The enforcement angle of GDPR compliance is unclear, and we truly will not know until after the deadline whether auditing will ultimately result in fines or just guidance for remediation.”

Mimecast’s French envisions “very little” auditing activity in year one. ”The European authorities will need to get the certification process in place first and give companies time to adapt,” he says. ”If this is a similar situation to what happened with PCI-DSS; it could take many years before the auditing process will be solidified.”

Time will tell as to the specific matters that GDPR regulators choose to focus on in the initial year of audits.

[ Enter our May giveaway for a chance to win one of 7 must-read books from MIT Press and MIT CIO Symposium speakers. ]

Laurianne McLaughlin is Editorial Director, Digital Communities for Red Hat, leading content strategy. Previously, she served as Content Director for The Enterprisers Project, Editor-in-Chief at InformationWeek.com, and Managing Editor at CIO.com.