GDPR and Blockchain: Could They Live Together?
The Importance of Data
There was a time when wealth could predefine who you were and give you certain advantages over other people. It might seem that in the modern world, money plays the same role; however, this isn’t true. Data is the new influencer, especially now, in the era of digital takeover of all fields.
Loss of important data is equal to bankruptcy. In the case of a confidential information leak in the hands of untrustworthy individuals or parties, data could be used against the owner, which could result in business loss or worse.
The Consequences of Data Loss
First, is it important to mention that data loss can be caused by a variety of reasons: fire, drive failure, a virus, or anything else that causes computer malfunctioning. Due to the importance of data for businesses, there is also the risk of information theft.
Statistics show that data loss has a devastating effect on businesses, causing bankruptcy and closure:
- 93% of businesses that lost control over their data for more than a week claimed bankruptcy within a year after the disaster. Fifty percent of companies that lost access to their data center for the same period of time claimed bankruptcy almost immediately (source: National Archives and Records Administration in Washington, D.C.).
- 94% of businesses that experience a huge data loss suffer from closure (source: University of Texas).
Distributed-Ledger Technology
The time of keeping paper documents under pillows or in safety-deposit boxes was relegated to the Stone Age with the appearance of blockchain in 2015.
Satoshi Nakamoto opened the opportunity for both individuals and businesses of storing data on a distributed ledger: a blockchain that functions as a secured database with an unlimited number of blocks. These blocks are verified by miners according to a consensus protocol and included in the main ledger as a result of this operation. Each block contains information about transactions and nodes (digital wallets). If we are talking about the Bitcoin blockchain, the only limitation affecting these blocks is their size (1MB) and frequency (one block per ten minutes). However, blockchain is an immutable database, which means that neither the block nor the data on it can be changed or erased after it’s verification by a majority of nodes.
Blockchain for Data Storage
As we know, Blockchain offers the solution of making cloud data storage more secure and transparent. The achievement of both features is possible due to the nature of the ledger: data is distributed across all nodes in the network, but only authorized users have access to data stored in blocks.
Cloud data storage might seem difficult. The graphic below will help you understand principles of data storage on the blockchain:
GDPR
All spheres of human activity will, eventually, have to adapt to the digital era, and governments are no exception. As a result of the importance of data for businesses and individuals, governments adopt various laws trying to protect the rights of both.
The General Data Protection Regulation (GDPR) is a statement that was implemented by the European Union in cooperation with European Parliament and the Council of the European Union on May 25, 2018. The regulation’s goal is data protection and privacy for all individuals in the EU. It is also associated with the export of personal data out of the EU’s territories. The main goal of the statement is to give individuals full control over their personal data. The GDPR was written to simplify the legal framework for international affairs.
The GDPR regulation covers all companies, regardless of their headquarters or location, that process data on EU citizens. What differentiates the GDPR from preexisting rules for data protection in the EU is that the GDPR is applicable to a wider range of implementation, stricter rules, and higher fines.
A major issue involving data protection is that even after a data subject has deleted his/her account on any website or from a service provider, the information remains accessible on the server. The GDPR, on the other hand, gives EU citizens the right to obtain a full control over their personal data. A GDPR-compliant company promises to irreversibly delete data on the subject, who has applied for the right to be forgotten.
Main Principles
When turning GDPR-compliant, any party or individual must make sure to accept the rules of the regulation. The main GDPR principles are listed below:
- Lawfulness, fairness, and transparency: Personal data should be processed in a lawful and transparent manner with respect to the data subject (the individual to whom the data relates).
- Clearly set goals: All tasks should be mentioned according to the rules of the confidentiality policy.
- Accuracy: All data should be accurate, clear, and transparent.
- Data storage limitation: Data should be revised and checked from time to time to determine unused information.
- Safety: Personal data should be kept safely.
- Accountability: Parties should take responsibility for processing data and performing all principles of the GDPR, including confidentiality records.
Data Processing
Data will be allowed for processing if it meets at least one lawful purpose:
- the data subject has given consent to process his/her data
- contractual obligation fulfillment
- controller’s legal obligations have been met
- data subject’s interests with regard to legal aspects have been protected
- the public interest and/or official authority have been respected
- the interests of the data controller and/or third party have been respected.
However, the last point has an exception: data cannot be processed if the interests of the data controller or third party are somehow overridden by data subject interests, especially if children are involved.
Accountability
To become GDPR-compliant, a company should apply for a data controller to install characteristics that will correspond with GDPR requirements for data protection by design and by default.
After all measures have been taken, the data subject must be informed about the information the party stores on him/her, and also dispose of any actions that have ever been taken with regard to the data: how long it was kept, which other party or parties it was transmitted to, and the legal basis on processing the data.
Unless the data subject decides to call his or her right to be forgotten, the data will remain, and must be protected by the party keeping it.
Data Protection
A data-protection algorithm that meets the requirements of GDP requires embedding in the business ecosystem and must be supervised by a data controller for GDPR compliance.
Also, data controllers must deploy mechanisms for processing data only under GDPR regulations.
Pseudonymization
One characteristic that is quite similar to blockchain is the fact that the GDPR appeals to pseudonymization as a tool to make data impossible to reference or trace to any individual unless additional information is available. Additionally, on the blockchain, you need to have a cryptographic key to have access to the GDPR database.
Data Subject’s Rights
The GDPR is designed to give all citizens of the EU more control over their personal data. It also provides a right that didn’t seem to work until recently — the right to erasure.
- The right to erasure: The data subject may apply to the party keeping his/her data to be erased, along with all remaining information on when, how, and to whom it was transmitted. This right is often called “the right to be forgotten.”
- The right of access: The data subject has the opportunity to make a request of a data controller for information on which parties are storing data on him/her, and to have access to this data.
- The right of reflection: The controller must provide the subject with accurate data concerning him/her along with the purpose(s) of processing.
- The right of restriction of processing: The subject has the right to request the restriction of data processing in case of data inaccuracy or unlawful processing.
More rights given to data subjects within the EU may be found in the documentation on the GDPR.
Should any questions remain, please contact the Applicature team for assistance.
Blockchain vs. GDPR
There is no evidence proving the EU’s intention to hinder blockchain implementation by issuing GDPR regulation. However, it is clear that the regulation gives EU citizens more opportunities with regard to their personal data management. It also minimizes cases of the use of personal data against the subject.
Applicature will dispel any doubts concerning blockchain’s role in data storage.
First, let’s consider the similarities and differences between the GDPR and blockchain. Features that connect blockchain and the GDPR include data transparency, the rights of citizen (user) focus, and data protection.
What differentiates blockchain from the GDPR regulation is, of course, its nature: blockchain is a technology, a network of users. This blockchain reality eliminates the ability of individuals to use it when confronted by its cost and the need for computational power. Meanwhile, the GDPR applies to every citizen of the EU whose information is processed by parties, and does not depend on the location of the institution.
The main feature that distinguishes blockchain from the GDPR in terms of data storage is immutability: any piece of information ever put on the blockchain and verified by its nodes will remain there forever.
Additionally, Blockchain deals with anonymity, in contrast with the GDPR which requires identity.
Let’s have a closer look at the similarities and differences of blockchain and the GDPR:
Blockchain and GDPR: Coexistence
No country is able to make people stop using blockchain. This is because of the algorithm of its construction. The blockchain is a network of nodes (computers). Therefore, to disable the blockchain, every device that is a part of the chain of blocks would have to be destroyed. This is impossible, as the network is enforced by billions of digital devices. However, due to its immutable nature, it cannot be considered GDPR-compliant, as the goal of the GDPR is to give people more control over their personal data along with the right to be forgotten. At the same time, blockchain offers encryption keys, but they are still unequal to personal data erasure.
GDPR Compliance for Blockchain Businesses
Since the regulation came out, companies that build their platforms on the public blockchain have not, by default, been considered GDPR-compliant . Here is the question: is it possible to build a lawful Blockchain-based company in European Union territory?
Applicature says, “Yes, it is!” Users have the opportunity to ‘erase’ information from the blockchain by means of burning tokens that contain data: non-fungible tokens (ERC721). The reason blockchain companies should use the ERC-721 token (and not the most frequently used one, ERC20) is that only non-fungible tokens are read by the system as containers in which you put information. Also, the user who keeps a token in his or her private account may determine who will be able to access the data with the help of his/her private key and BIP-32 protocol. Moreover, all ERC20s are equal to each other, just like dollars, while the ERC721 allows the storage of different sizes of information within it.
There are several actions that should be taken to burn ERC721 tokens. These include erasing metadata in the ERC721 token and then assigning its account number to the last minted ERC721 token. This will lead to the burning of the sold ERC721 token.
One more way for blockchain to follow the requirements of the GDPR is to keep data off-chain using Oracles, thereby inserting links into the transaction codes to access the required information outside the blockchain in data storage.
Conclusions
The twenty-first century is the age of digital data, communication, and even money. Information has become the main means of influence for businesses. This has annihilated the phrase “Money can fix anything.” This is where the question of secure and reliable data storage comes in. The opportunity came along with blockchain’s appearance in 2015, when the distributed ledger obtained its first nodes.
As blockchain technology is mostly used by companies and consortiums due to its cost and need for considerable computational power, governments try to support and protect the rights of citizens with regard to their personal data. The latest update was issued by the European Union in 2018 in the form of the GDPR regulation. The law was written to give EU citizens more control over their personal data. The main features that differentiate the GDPR from 1995’s Data Protection Directive are the right of access and the right to be forgotten.
However, this regulation enables the use of blockchain in terms of data storage, as blockchain doesn’t allow deletion or changes to information kept on its top.
Even though it is impossible to erase data from the blockchain, there is the opportunity to store data off-chain, which makes the GDPR and blockchain coexistence totally accessible.
