General Data Protection Regulation (GDPR) and Blockchain seem to be contradictory terms, with major requirements of the regulation flying in the face of Blockchain features. But is this really the case?
In this article we will explain what GDPR is and present its main points. We will also dive into the relationship between GDPR and Blockchain, and show that it may hide more opportunities than threats.
GDPR is the most significant change within data privacy regulation in two decades (it replaced the Data Protection Directive, adopted in 1995). Generally, the GDPR directive was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy (EU GDPR Portal, 2018).
Implemented on the 25th of May 2018, GDPR should be considered by every Blockchain project, regardless whether they are in Europe or not. As these rules apply for every company wishing to do business in Europe, almost everybody should be aware of what they are, and how they may affect you as a consumer or your business.
Here’s a short video explaining the basics of GDPR:
Key points of GDPR
GDPR focuses on collection, processing, storage, and transfer of personal data, defined as “any information relating to an identifiable person who can be directly or indirectly identified” (source). The definition is quite broad, covering information such as name, an identification number, location data, or an online identifier (e.g. your IP), as well as factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person (source). The regulation does not make it a 100% clear whether pseudonymized data (encrypted and inaccessible without additional information like a decryption key) falls under personal information. On the one hand, hashing ensures pseudonymization (but not anonymity) and may no longer be considered personal. On the other hand, it could be argued that the cryptographic hashes link back to the original data, and therefore it is still possible to re-identify a given user. Which would mean that pseudonymized data falls under GDPR.
Data controller and data processor. The former refers to an entity (individuals, companies, public authorities) which determines how and for what purpose personal data is processed. The latter describes an entity that processes personal data on behalf of the controller.
Right to access gives data subjects (consumers) the right to confirm whether a data controller is processing their personal data, and if so where and for what purpose. Additionally, consumers have the right to request a copy of their personal data in an electronic format free of charge.
Right to be forgotten, also known as Data Erasure, allows data subjects to have their personal data erased with a data controller, halt further dissemination of the data, as well as potentially stop third parties from processing the data.
Privacy by Design is a concept, which existed for years now but is only now becoming a legal requirement. It follows the mindset of including data protection at the very beginning of a system’s design, rather than adding it later.
Fines and penalties. Should a company fail to meet the new standards, penalties of up to 4% of annual global turnover or €20 million (whichever is greater) can be incurred. Such high fines would be given for the most serious breaches of the directive, such as not having sufficient customer consent to process data, violating the core of Privacy by Design concepts, or not notifying the supervising authority and data subject about a breach (breach notification) or not conducting impact assessment.
Low compliance numbers
There have been several studies made ahead of the GDPR implementation date (May 25th, 2018), and the numbers didn’t look too good. Deloitte reported in their GDPR Benchmarking Study that only 15% of businesses expected to be compliant ahead of the date. NetApp in their GDPR Survey released soon before the May implementation date revealed that 35% of global businesses think GDPR threatens their existence, and 67% of global businesses think they may not meet the GDPR deadline (still lower than Deloitte’s survey result of 85% of companies expecting non-compliance). Additionally, 40% of business have confidence in knowing where their data is stored, which would suggest that 60% don’t. A more positive result has been revealed around the same time by a McDermott-Ponemon study, which surveyed companies across the U.S. and Europe and revealed that 52% of the companies expect to be compliant on or before the May 25 deadline, and an additional 40% expect to become compliant after the deadline.
Studies done after the implementation date aren’t particularly hopeful either. In the summer 2018 TrustArc’s GDPR Research found that only 20% (!) of the surveyed companies are GDPR compliant, with 53% currently implementing changes, and 27% of the surveyed businesses have not even started the process yet. Nevertheless, 74% of the companies reported that they expect to be compliant by the end of 2018, and 93% by the end of 2019. In September, Talend reported that around 70% of surveyed businesses around the world failed to address requests for a copy of personal data made by consumers, as required by GDPR. The latest study comes from EY, which asked in their recently released (December, 2018) Global Forensic Data Analytics Survey about company’s current status with respect to complying with the GDPR, and revealed that only 33% of companies reported having a GDPR-compliance plan, while a staggering 39% are not familiar with the GDPR at all. The numbers differ across continents, with 60% of the European companies indicating they have a compliance plan in place, with numbers much lower in the Americas, 13%, and Asia-Pacific, 12%.
It can be seen that the number differ across studies (which is to be expected), but none of them could be described as good or even hopeful. Why is it so hard for companies to comply with GDPR? Let’s dive into what are the main issues in this area for Blockchain companies.
GDPR and Blockchain: pain points and potential solutions
Overall, GDPR is absolutely fantastic from a consumer point of view. It adds transparency and makes respecting consumer’s privacy a requirement for all businesses. It also gives users significant power over their own data. However, many have asked how does this new directive works with Blockchain, as some of the GDPR’s legal requirements and Blockchain’s features seem to clash.
Right to be forgotten (Data Erasure) might be the toughest requirement for Blockchain business to fulfil due to one of the technology’s main advantage: immutability. Right to be forgotten principle allows consumers to have their data deleted upon request, which is naturally impossible in a standard blockchain. Within this environment, a question should rather also be asked: what is erasure? It could be argued that irreversible encryption constitutes erasure, as the data is inaccessible. If access rights are universally revoked, could the data be considered “erased”? Another proposed solution are hybrid off-chain architectures for distributed data storage.
It is similarly challenging to specify who within a Blockchain network is a data controller, especially when it comes to public blockchains. GDPR was created when a centralised model was the main governance option. Blockchain, however, challenged this structure and introduced a decentralised governance model, where any electronic device connected to the Internet can become a node which supports the network by maintaining a copy of a blockchain (and, in some cases, processes transactions).
These nodes process data, which would make them ‘data processors’, without having any influence on how the network is run. In normal cases, the controller or issuing entity would make a contract with any third party which processes personal data of their users. However, in the context of a blockchain network, it would be impossible to make a contract with every node.
It has been suggested that every network participant should be considered a data controller for himself, and a data processor for others, and that governance agreements will be required in order to determine the responsibilities of each participant.
First GDPR-Blockchain solution is already at hand
Exemplifying an off-chain solution and showing compatibility of GDPR and Blockchain is the Dispatch protocol. Their consensus algorithm, Delegated Asynchronous Proof of Stake (DAPoS), writes less data (compared to other distributed networks) into the ledger, which mitigates the risk of storing unnecessary data. Their Dispatch Artifact Network (DAN), which allows to link back to off-chain data objects (called artifacts), also aids in determining who’s in control of information. Dispatch has also defined stakeholders of the network (stakeholders, delegates, bookkeepers, uploaders, downloaders, and farmers), which also mitigates the data custody risk. And finally, developers have a high degree of control and transparency over what data is and isn’t stored.
Every threat is an opportunity is disguise
Although it may seem like the GDPR and Blockchain are clashing at every turn, they actually have some similarities between them, for example inclination towards encryption. At the heart of Blockchain technology, encryption is also encouraged by GDPR officials as a method to reduce the probability of a data breach.
Moreover, one of the main issues between GDPR and Blockchain – immutability, offers security, transparency, and integrity of data, which would be very valuable in the context of GDPR. The price, however, is the loss of retroactive control over personal data.
GDPR is a major shift in how personal data is managed. It requires companies to be transparent in how and which consumer data do they collect, install clear consent mechanisms, and allow consumers access to their collected data, which then must be deleted upon consumer’s request. However, although it is the latest regulation, it is still playing catch-up with technologies such as Blockchain – GDPR assumes that data management and control lies in centralised hands. However, there is a global trend to move control away from businesses (and governments) and into the hands of individuals. And therein lies the problem. Despite the fact that both GDPR and Blockchain value and strive for privacy, their core structures fundamentally differ.
Nevertheless, there is a light in the tunnel. The two also share an affinity towards encryption. Well established in blockchains, the regulation suggests encryption and pseudonymization as tools for compliance. Moreover, several studies have shown the opportunities hiding behind the apparent contradiction, where the technology can make it significantly easier for businesses to comply with GDPR. And GDPR compliance may not be that difficult, as long as it is thought of in advance. For example, Dispatch’s new protocol allows for storing data off-chain, which makes them 100% GDPR compliant.
A definite marriage of GDPR and Blockchain may require a mindset shift on both sides. Although there are examples of GDPR compliant blockchain solutions, e.g. the Dispatch protocol, there are probably some Blockchain enthusiasts who would argue that moving any data off-chain goes against what this technology is all about. As it is easier for permissioned and enterprise blockchains to be GDPR compliant (for example, it’s easier for them to define data controllers and processors), one of the potential outcomes is an increase in non-public blockchains. Here again questions arise relating to Blockchain values of decentralisation vs regulatory compliance. On the regulatory side, more clarification is needed (p.28), especially concerning identification and obligations of data controllers and processors, and anonymisation of personal data.
Will GDPR affect Blockchain adoption? It can go both ways. On one hand you could argue that businesses will shy away from the technology, for fear of liability in case of non-compliance. But Blockchain technology provides unprecedented security in terms of data integrity and security. So it is equally possible that GDPR may actually promote Blockchain technology in the future, as it may make it easier for companies to be GDPR compliant.