Estimated Reading Time: 2 min 20 sec
With the GDPR in effect from 25th May, all organizations operating within the EU will have to comply with it, including those who use blockchain to store personal data. But, it's easier said than done. For all of its potential, Blockchain brings up some crucial challenges under the new legislation.
Although consensus seems to be that blockchain is deep down incompatible with GDPR compliance, experts believe that it depends on how you use (define) 'blockchain.'
If you are using blockchain to store personal data, GDPR compliance will rely upon how you process it, as well as the sort of blockchain you have set up. Additionally, the system must address the two main principles of the GDPR: data protection rights (people should be able to ask for their data removal) and accountability (there have to be data processors and controllers).
A startup is thinking to launch a bike rental scheme through an ICO (Initial Coin Offering) campaign. So, when a person wants to rent a bike sets up an account, receives a private key, uses an exchange platform, and purchases some coins. Further, he takes the coins (tokens) to a bike, checks in with his private key, and enjoys his ride. When returning the bike, the implemented smart contract will process the payment. All of these transactions will get executed on a blockchain ledger.
There could be two different ways to record this transaction information, which comprises personal data. The first option is an open, public blockchain, such as Bitcoin. In this case, anyone can download the software, as well as run it on their device(s); they may get paid for doing so.
In this scenario, who should be held accountable? Although the bike rental company wrote the software, it refrains itself from touching any personal data- it means, neither it's a processor nor a controller, as per the law. The individuals managing nodes don't have any control over the system and thus, not falling into either condition.
The customer can ask for their data removal, but doing so is quite cumbersome on a public blockchain - which is probably stored in a ledger over thousands of machines.
A private blockchain is the other viable option and also, the most suitable one. Instead of thousands of uncontrolled nodes, a private blockchain can be limited to a particular, controlled quantity of nodes. For instance, one in your house, one in the cloud, and one stored with a third-party auditor that guarantees the solidity of the system in case of any clashes.
In the sense of accountability, the individual who ran the blockchain, and has a stored in his home, is "perhaps" the controller, while the third-party auditor and the cloud service provider can be called the processors. In addition to this, due to a controlled quantity of nodes data subject lawfulness can be made more comprehensible. However, to remove personal data, a new format of the chain (a fork) will be required.
If blockchain experts and enthusiasts these suggestions, taken seriously, most probably, we can expect a move away from public blockchain use for business. We might expect more of a development driven towards closed, controlled, private blockchains in the coming days. 'Crypto-anarchy' might also see a move away.
Eventually, using private blockchains, companies can go about ensuring that they adhere to the GDPR compliance. So they can benefit from such disruptive technological inventions.