Blockchain and GDPR

Now that much of the furore around GDPR has settled and organisations increasingly think of how to be more compliant with legislation I feel it is a good time to challenge ideas that I first read in an article by Michael Baxter on GDPR:Report published in August 2018.

In Michael’s article he argues that distributed ledger technologies (DLT) are inherently not compliant with GDPR regulation and although concessions are made that some entities are trying to add a function to delete data it is still not enough. I however opine that DLT is inherently compliant, with many networks being built around the concept of anonymity for data, I believe it should be possible to construct a data solution for an organisation that is both compliant and allows a client to feel safe contributing their data.

We will start by defining a few terms; client refers to an organisations data source, user will refer to the organisation or authorised parties accessing the data, local database will refer to a database accessible locally but without access to the internet.

Let’s consider the example from the Information Commisioners Office in the UK of a courier company attempting to be GDPR compliant. We can enter the data of each client into our organisation database by first entering the data into our DLT application and receiving the public and private chain identification for the client. We then store the client’s identifying factors (name, address etc.) in a local database along with the paired public-private key. The data is now pseudonymised and we can give access to the identifying factors only to those departments that require access to it, this would be GDPR compliant.

Sourced from ICO here.

Should the client wish to have their data removed under the right to be forgotten legislation we simply erase the identifying factor tag in our local databases and the data is now anonymised and no longer considered private or personal data.

“Why go to all this trouble to set up a DLT for something that can be stored on a centralised database?” I hear you ask. Simply put, clients feel safer knowing any residual data you may hold on them is stored securely and immutably. Any change in preference will be recorded in the DLT and can be challenged, making organisations more accountable for their decisions concerning data stored concerning clients.

Clients often realise that their identifying factors are such because they are already publicly accessible in some form, it is the personal preferences and opinions that people want to be stored securely and separately to their publicly accessible data.

There are many projects being built currently upon Hyperledger Fabric and I would be interested to see how GDPR and data compliance will be influenced by startups such as Tap – a free to use service that obtains personal data records on your behalf underpinned by DLT.

Thank you for reading my article, all opinions expressed are my own.


Blockchain and GDPR was originally published in Data Driven Investor on Medium, where people are continuing the conversation by highlighting and responding to this story.