The General Data Protection Regulation (GDPR) is now enforced. This has major impacts towards Blockchain and Distributed Ledger technology. In general: these technologies are not compliant to some certain demands of the GDPR.
The World Economic Forum titles in a statement “Will GDPR block Blockchain?”. And unfortunately, I have to agree yes, it might will.
Let me state in some words, why we need to force adjustments on GDPR regulations towards to blockchain and distributed ledger technologies. And why it’s absurd attempting backwards fixing to force GDPR compliance on that technologies.
The core of Blockchain: Trust and Resilience
Blockchain technology and Distributed Ledgers (DLT) power is based in resilience and trust. Both is created by the distribution principle, where nodes are storing transaction in their ledger and consents between ledgers is needed to determine if the transaction is valid. As nodes location can (and should) be scattered, it’s hard to answer the question on which geolocation data is stored and proceeded in the Blockchain network and by that which jurisdiction is to be effective.
For large public chains in case of doubt: everything and everywhere.
Additional the main principle of building trust inside the Blockchain makes it impossible to delete written transaction. Also updating existing transactions can’t be done, since they are immutable. Therefore, the demand of GDPR on the right to delete data is not directly representable in these cryptographic principles.
The demand to erase data in GDPR is allegeable from a “pre Blockchain” area, where state of technology was the storage of data in relational or object based databases – or more advanced in cloud storages. Deleting data in such architectures is a feasible demand. But blockchain principle of data treatment was not on the radar, when European legislation was formulating the GDPR. Blockchain is a “young” but highly accelerating technology, started in 2008 below the “radar” of legislation stakeholder groups debates. And it’s a perfect example that technology can leapfrogs ahead regulation and leaves legislators behind.
Why “HASHING” is not the answer for GDPR compliance
The situation is absurd. We have a powerful technology, but by basic architecture principle it’s not compliant to the demands of the GDPR. The industries answer is “hotfixes” on Ledgers, where personal data is involved. One popular recommendation is not storing personal data but “hashed” relations in the chain. This means that no personal data is stored in the Ledger and by that the system is compliant to GDPR – as there is no more need to erase personal data.
But on the other hand, you need to link the Blockchain proceeded hash to data sets outside the ledger. This must be done by tying the hashes to datasets on relational or object-oriented databases. Of course, we can do – but basically this workaround weaken the trust and resilience level of the system. Compromising the data in the linked databases is compromising the Blockchain trust level. When the data relation has been changed the testify by “hashed” Blockchain records is useless. You need no Blockchain procedures for testifying the trust and integrity of data and transactions in such architectures with relational dependencies. You can remove the Blockchain part of such system but you keep the same level of trust and resilience. Blockchain in terms of trust and resilience makes no sense on such GDPR compliance workaround architecture.
We can adjust Blockchain by GDPR workarounds but will lose the fundamental advantages of this technology. Or we can adjust the GDPR.
It’s our challenge force the right actions.