The application of GDPR to blockchain-based platforms raises challenging questions. How can GDPR and blockchain co-exist? Solutions like hybrid blockchains that combine public and private elements have the potential to ensure GDPR compatibility. EY can help with a comprehensive solution.
Authors: Darko Stefanoski, Konrad Meier, Orkan Sahin and Federico De Poli.
Is GDPR applicable to blockchain operators?
GDPR applies to the processing of personal data that falls within the regime’s territorial scope. GDPR has an extensive territorial reach and applies to controllers and processors established in the EU, as well as to controllers and processors not established in the EU, where the processing relates to the offering of services to data subjects who are in the EU or monitoring of their behaviour that takes place within the EU.
Consequently, the activities of many blockchain operators may fall within the scope of GDPR. Since anybody may have access to an open/permission less platform, operators of such platforms may be deemed to offer services to data subjects in the EU.
Different types of blockchains
In order to grasp the challenges faced by blockchain operators, it is essential to be aware of the main types of blockchains.
Based on the participants, blockchains are categorized as public, private or hybrid:
- Public and permissionless: Public and permissionless blockchains resemble bitcoin, the original blockchain. All transactions in these blockchains are public and no permissions are required to join these distributed networks.
- Private and permissioned: These blockchains are limited to designated members, transactions are private, and permission from an owner or manager entity is required to join this network. These are often used by private consortia to manage industry value chain opportunities.
- Hybrid blockchains: An additional area is the emerging concept of sidechain, which allows for different blockchains (public or private) to communicate with each other, enabling transactions between participants across blockchain networks.
The GDPR-Blockchain paradox
GDPR stipulates that users should have control over their personal data at all times. One of the key features of blockchain technology is the general immutability of its data, and many applications of the technology are built on publicly available data trails. This contradicts the GDPR’s right to erase / duty to delete personal data when a lawful ground for processing ceases to exist. Storing encrypted data on the blockchain and destroying the key does not solve the GDPR challenge, as the right to be forgotten requires that the data is permanently erased.
Privacy-by-Design: How to design a blockchain-based platform that is GDPR compliant?
According to the Privacy-by-Design principle, organisations should design data protection into the development of business processes and new systems.
Public, permission less blockchains represent the greatest challenges in terms of GDPR compliance, because of their extensively distributed nature. GDPR requires to identify the roles of the different parties involved in various activities where data is processed. In a distributed ledger a clear determination of the roles as data controllers and data processors is challenging. Private blockchains, however, give operators more control. From a GDPR perspective this is a much simpler set-up. Hybrid blockchains that combine public and private elements have the potential to ensure GDPR compatibility.
The Queen Mary University of London and the University of Cambridge recently conducted a study that concludes that it is possible to develop private blockchains that are compatible with GDPR. According to the study “promising examples include encrypting entries and then deleting the relevant decryption keys – leaving only indecipherable data on-chain – or using so-called ‘off-chain’ storage models”.
EY Solution: Applying privacy to the Blockchain through a hybrid setup
EY can provide you with a GDPR-compliant hybrid chain solution, where all GDPR sensitive information and data are stored on off-chain in distributed or cloud-based servers, while the hash of the data, which is a specific encryption of this data and represents the reference or linkage to this data is stored in the public blockchain layer, which serves as authenticity layer. To ensure the “right to be forgotten”, the data located in distributed off-chain servers can be erased therefore leaving just the hash on the public chain that cannot be re-engineered without having the original data and algorithms.
Complementing the solution described above, EY may support you with the following privacy services that are tailored to address the specifics of a blockchain-based platform:
- GDPR Readiness Assessment: Maturity assessment and provision of recommendations to address identified gaps
- Privacy Impact Assessments (PIA): Performance of a GDPR based risk assessment and identification of mitigating measures
- “Know your personal data” – data inventory: A personal data inventory, dashboard and a data-flow map of the data analysed enabling you to have a clear picture of the personal data you use across your organization
- Data protection improvement programme: Identification and implementation of privacy remediation measures, combining EY’s legal, technical and data analytics capabilities.