How to make blockchain GDPR compliant: explained in five GIFs

Distributed ledger technology in the light of GDPR compliance

Pavel Romanenko
Feb 21 · 5 min read
Photo by arvin febry on Unsplash

Last week I met with the blockchain startup Lition, which promises to solve the blockchain vs. GDPR conflict on a technological layer. Why should you care about what they have to say?

  • These folks cooperate with the largest German software company SAP
  • They launched a consumer-ready decentralized energy market place
  • They have recently discussed the STO regulations with the German government
Icons by Freepik and Smashicons via Flaticon

We got some interesting insights about GDPR compliance solutions from Lition’s CEO Richard Lohwasser and sprinkled some GIFs on top since GIFs make everything look cooler (even the GDPR).


1. Off-chain storage — This tactic keeps sensitive user data off the blockchain, allowing a continuous blockchain record and the ability for data to be deleted. Unfortunately, off-chain systems largely defeat the purpose of blockchain by storing data via traditional methods, meaning data is more vulnerable to hacks, edits and other trickery.

2. Deletion of Encryption Keys — Deleting encrypted keys keeps sensitive data on the blockchain but throws away the ability to access the information. This method essentially deletes the data by rendering it inaccessible, but does not technically erase it. The GDPR explicitly calls for the deletion of data, and while the deletion is not clearly defined in the legislation, making something inaccessible and destroying it all together are not the same thing.

3. Anonymization — While there are a couple different ways to go about anonymizing data, most solutions involve the same version of our already defunct off-chain storage method. On-chain pointers connect mainchain information to sensitive off-chain information. Once the off-chain data is destroyed, the link is broken and the on-chain information is anonymous. However, this method still leaves data on the mainchain, and while tough, identifying information could still be obtained from the blockchain.

4. Centralized Back-End Systems — Another proposition is to completely overhaul the concept of blockchain and create centralized back end systems, that allow data to be anonymized without interrupting any chains. While this would allow GDPR and blockchain to peacefully coexist, you have basically gutted the fundamentals of blockchain by doing so. Centralized back-ends give data control back to companies and require users to once again trust companies with their information behind closed doors. That worked great the first time?

5. Public-private deletable blockchain infrastructure. Public-private deletable blockchain infrastructure could remedy blockchain and GDPRs incompatibility by preserving blockchain functionality while protecting user data in accordance with the GDPR.

Software giant SAP’s Chief Technology Officer, Dr. Juergen Mueller, has been advising Lition, a German tech startup, in the development of their blockchain platform with true deletability through the use of private side chains that stem from the mainchain. The team is presenting their MVP on February the 21st at the SAP Data Space in Berlin. It is announced that during the event it will be shown how transactions of Lition’s Energy Exchange are executed on the new blockchain and how it is possible “to be forgotten”. Every codehead has the opportunity to attend this event through a livestream since this could be the innovation that the space needs to make a step forward in direction adoption.

Source: What Does Lition’s Blockchain Architecture Look Like?

Lition’s network tracks metadata in the mainchain to ensure network functionality. This is where things like consensus are maintained, token balances are tracked, and transparency is provided. Smart contracts are executed on the main network but invoke private permissioned sidechains where sensitive data is kept. These side chains can be deleted, destroying the information contained within them, while preserving the block hashes to maintain network integrity.

The public private infrastructure is the first protocol that both allows true deletion of data and abides by the fundamentals of blockchain.

The GDPR and blockchain initiatives were both attempts to reclaim our information and put an end to the rampant abuse of data Silicon valley’s top dogs have orchestrated for too long. Although they emerged from different ends of the ideological spectrum, permanent deletion versus untamperable transparency, the end goal was mostly the same.

Through the use of public-private deletable platforms, we will be able to diversify our toolset for the fight to take back our digital identities. The GDPR doesn’t cripple blockchain, rather, it challenges it to innovate and incorporate all the best strategies to ensure our data is secure and protected.


Do you want to dive deeper into the topic? Connect with Richard Lohwasser on Linkedin, follow him on Twitter or meet him in person during the meetup at SAP Data Space in Berlin.

Blockchain Circle

Germany's network of blockchain professionals: http://blockchaincircle.de/

Pavel Romanenko

Written by

Head of Marketing and Partnerships at ZkSystems https://medium.com/zksystems

Blockchain Circle

Germany's network of blockchain professionals: http://blockchaincircle.de/