GDPR & Blockchain for Companies in 2019

How to leverage decentralized technology for GDPR compliance

Gabriel G.

Published in

Lightstreams — The Blockchain for Speed and Privacy

7 min readJun 21, 2019

The General Data Protection Regulation in 2019

This is an overview of the GDPR landscape in 2019 and discusses some of the challenges businesses are facing due to GDPR regulation. It is especially intended for small-to-medium companies that are interested in leveraging blockchain technology to become GDPR compliant. At the end of this article, we will explain how decentralized technology can help companies become GDPR compliant faster and with reduced costs.

What changed and how it affects you

On May 25th 2018, the General Data Protection Regulation (GDPR) came into application in the EU. The regulation applies to companies/organizations and is intended to give certain data protection rights to consumers.

The purpose of this new legislation is to align existing data protection rules and increase the level of protection for individuals in the EU. These reforms help customers to gain control over their data and offer better transparency about the processes used by companies to collect and use customer data.

Why does the GDPR exist?

In recent years, there have been quite a few massive data breaches, including ones at Yahoo, LinkedIn, Facebook, and MySpace account details. Under the GDPR, the destruction, loss, alteration or unauthorized access to individual’s data has to be reported to the corresponding protection regulator. Companies are required to demonstrate the manner in which they comply with the data protection law in order to determine the impact and the level of accountability for the company itself.

Protect users’ personal data

To understand how the GDPR aims to protect customers’ personal data, we need to understand what we mean by both personal data and sensitive personal data. On the one hand, personal data is a complex category of information: it broadly means a piece of information that can be used to identify a person. This can be a name, email address, postal address, IP address, etc. On the other hand, sensitive personal data encompasses things like genetic data, religious beliefs, political views, sexual orientation, etc.

Data Subject, Data Controller & Data Processor

Within the GDPR, the three main actors are:

The Data Subject: Individual to whom the data related, usually business customers.
The Data Controller: Organization, company or any other entity who dictates how and why personal data is collected from data subjects. They are accountable for compliance and liable whether GDPR rules are breached.
The Data Processor: Entity or individual which ‘processes personal data on behalf of the controller’. The data controller must outline the instructions that the data processor must follow when processing the data. They are liable if they work outside of the instructions provided.

GDPR requirements & principles

The GDPR is 88-pages long and has 99 articles describing how the personal data of EU citizens can be collected, stored and processed by any organization or company. For a company to be GDPR compliant, one should consider the following seven key requirements.

The 7 Key GDPR Requirements

Obtaining consent

Terms of consent must be clear, transparent and lawful. Every customer data must be processed for legitimate purposes and subjects must be informed about the processing activities on their personal data. Consent must be easily given and freely withdrawn at any time.

Right to data access and be forgotten

As an organization, you must allow your customers to access the data gathered about them within a month after a Subject Access Request (SAR) is issued. In addition, a data subject has the right to ask for correction or even ask for the deletion or transfer of their personal data.

Privacy by design

Companies that collect personal data on EU residents can only store and process data when it’s absolutely necessary. Companies are expected to limit the data processing, collecting only data which is necessary for their provided service, and not keep personal data once the processing purpose is completed.

Data portability

Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another. The controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected, even if the processing is being done by a third party.

Breach notification

If a security breach occurs, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.

Pseudonymization

Data collected on individuals must be obscured or anonymized in a way that the data can’t be tied back to a specific person without additional information, for example using encryption, which requires a key in order to read the information.

Data protection officer

In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.

Tensions between GDPR and Blockchain Networks

At its core, blockchain is a decentralized database whose network consists of a group of server nodes that store synchronized copies of the same data. There are many different types of blockchains but they may be categorized into two broad types, public or permissionless networks where anyone is allowed to participate, and permissioned blockchains where only pre-approved actors can take part in the network.

Who is accountable in a blockchain network?

Could there be a GDPR-compliant blockchain? Though GDPR does not discuss technology itself, it does talk about the ways in which the technology must be used to store and process the data. For example, accountability is a central issue in the GDPR, particularly when it comes to the responsibilities of the data controller. In the traditional client-server model, it is easy to identify the data controller, there is almost always an entity that is offering some product or service, that determines the purpose for collecting and processing the subject data. But in a permissionless blockchain. the question becomes harder. Who would be identified as the data controller? Should it be the protocol developers? The participating nodes? The publishers of the smart contracts? There is a lot of debate around this question and the safest answer would probably be: it depends.

Due to the immutability of data in blockchain networks, there is a common understanding that storing personal data in a blockchain cannot be done without clearly breaching some of the GDPR requirements. Developers have to apply obfuscation, encryption and/or aggregation techniques to turn personal data into ciphered information linked to original data without actually revealing the original data. In practice, approaches such as these bring two potential risks:

Reversal risk, despite the encryption technique used, it might be potentially possible for a third party entity, using brute force decryption or other more complex strategies, to obtain original data. Encryption might also be broken in the future.
Linkability risk, it is possible to link encrypted data to individuals by the observation of patterns and context.

GDPR principles within a blockchain network

At this point, it should be clear that storing data on a blockchain in a GDPR compliant way does not have a simple and straightforward solution. But, let’s try and think of some GDPR principles and how blockchain applies. For instance, Right of access and Data portability are implicit by the decentralized nature of blockchains. In addition, we could assume that, at the moment a user grants permission to write their personal data into a distributed database, they also provide consent for its usage and distribution (although this seems dubious). But there are many other aspects that are hard to resolve such as in the case of a security breach. The accountability for the breach would become very complicated and would require extended audits at different physical locations spread across the world.

Decentralized storage for the win

Based on the discussion above, you might get the impression that blockchain and GDPR are incompatible, especially in situations where data is stored on and processed by a blockchain network. What is needed is a magic ingredient that makes it all possible: a decentralized storage solution where users own their data.

We shared last week our vision about data ownership & data rights, and about how users should have more control over the data they share with applications. We want to encourage companies to use decentralized technology in order to facilitate compliance with regulations. With this in mind, we created a product called the Lightstreams Smart Vault which lets companies and developers build decentralized applications without the need to store users’ personal data. The Smart Vault runs on the Lightstreams Network, a blockchain network enhanced with a distributed file-sharing layer that enables developers to implement GDPR compliant solutions using decentralized technology.

We created this new unique network by integrating and modifying three of the most popular blockchain projects: Tendermint, Ethereum and IPFS. The IPFS protocol was enhanced with new privacy features; a permissioned layer to ensure that the user’s content access is only accessible and distributed to authorized entities. This will empower users to take full control of their personal data: it is possible for users to grant and deny access at any time, to monitor the access and amend, erase the data as they see fit. Smart Vault enables this new decentralized data model whereby applications are just data processors and users keep their personal data private. #ownyourdata

Acknowledgements

Thanks to Andrew Zappella for reviewing and editing the article!

Don’t forget

Please clap and share the article if you liked it! You can do more than one clap :) And if you want to get the latest information about our project, subscribe to our newsletter.