Blockchain with GDPR

Amik Pramanik
Aug 31, 2018 · 5 min read

General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within European Union (EU). Its a piece of legislation that was approved in April 2016. European authorities have given companies two years to comply and it came into effect across the EU on May 25, 2018.

GDPR gives people more control over their personal data and forces companies to make sure the way they collect, process and store data is safe.

source : cointelegraph

This is not only for the companies in EU , it will also be applicable to non-EU companies which do business in EU. So this is going to impact majority of big organizations as they needs to re-design there system to make it GDPR Compliant.

How GDPR going to effect Blockchain?

One of the main key characteristics of Blockchain is Immutability”. It refers that you have agreed on a transaction and recorded it in Blockchain, it can never be changed. You can subsequently record another transaction about that asset to change its state, but you can never hide the original transaction. This gives the idea of provenance of assets, which means that for any asset you can tell where it is, where it’s been and what has happened throughout its life. That’s one reason Blockchain has captured developers’ imagination for legal, financial, and supply chain uses.

GDPR breaking Blockchain , src: Biblica.com

GDPR, on the other hand, ensures an individual’s right to be forgotten means to have Personally identifiable information /Protected Health Information (later in this read it will be referred as PII and PHI ) data removed. This will benefit consumers and secure their data being misused and guarantees the data should be use only for the purpose it is taken from the consumer.

Lets not go deeper into GDPR, if you want you can read from here.

Making Blockchain application GDPR compliant:

Blockchain surely does not comply with GDPR paradigm. But we cannot go away with this for a promising technology like Blockchain.

Lets take a use-case of national board having multiple schools. They wants to implement Blockchain solution to keep track of student Data and on going activities. In this solution each School will be treated as Node. Each node will have students data which is considered as PII data i.e. Students Address, Academic Details etc.

Now lets see what are the workarounds available for the above use case to create a Blockchain Solution which is GDPR compliant.

Workaround 1:

The best solution so far as Hybrid Storage model which is to store PII/PHI data in off-chain and store the reference of the data along with hash of the data and other metadata on the Blockchain. So let me guide you how we can implement that :

Public or Permission-less Blockchain solution:

If its a Public Blockchain then any school (node) register into the chain will have to download and keep a local copy of the complete blockchain. The blockchain data will be shared among every school so as PII data.

Now if any of the schools stops operating and wants to delete all the data then its going to be a messed up scenario. They needs to reach every node to delete the local copy of the data, though its theoretically feasible but Blockchain will not allow the same. Blockchain works on CRAB model ( Create- Retrieve- Append- Burn) . No Delete.

Board will have no control over the student data. So making Public Blockchain GDPR compliant is out of scope.

Private or Permissioned Blockchain solution:

For Private Blockchain solution Board will have more controlled architecture. They will use Hybrid Storage model in this solution. In this scenario each node will need not to store or keep local copy of the chain data.

Storing in off-chain :

Board will use a off-chain storage which may be a Physical Data Center or Cloud. In this solution application will run a hash function using any hashing algorithm i.e. SHA256 etc on the students data and store the resulted “hash” in the Blockchain whereas the original data will be stored in off-chain storage.

Suppose any school (node) decided to stop operating and take themselves out from the chain along with the existing data. To implement the same Board will delete from “off-chain” storage for that node and the chain will only be left with “hash” without any link.

Architecture for Off-Chain Storage Blockchain Solution

So there is practically no option to retrieve the data from the “hash” , so somewhat we can say this as GDPR compliant solution.

But if someone has the input data they can create a hash and take out the data from chain , to avoid this problem add a ‘nonce’ . In cryptography, a nonce is an arbitrary number that can be used just once.

Workaround 2:

Removing the cipher :

Board can encrypt the data with its own key-pair and store the cipher in chain. If in any occasion school (node) wants to delete any data they will just remove the public key . Although the cipher text will be present in blockchain but there is no longer any option to decrypt.

Though the above approaches are almost 100% GDPR compliant solutions but it has some cons mentioned below :

Cons of above workarounds:

This will make the Blockchain application as a Access Control System.

Performance will be slow compared to normal Blockchain Solutions.

Designing the solution will be more complex.

Conclusion

Blockchain and GDPR cannot co-exist accurately. But workarounds are available as mentioned above. Blockchain is a promising technology and we don’t want to stop emerging this because of GDPR.

Now days every Blockchain enthusiast is finding new approach to make Blockchain application to qualify GDPR. But we are yet to get perfect solution for the same.

Till then Happy Reading :)

Please feel free to provide feedback for the betterment Thank you, Get in touch in case of any issues.