The blockchain has the potential to become the underpinning technology of so many businesses. By its very nature, it offers transparency, enhanced security, increased efficiency through automation and traceability, and a way of making data easily accessible. The immutability of a blockchain, or rather, the inability to delete or change what’s been input and approved, is one of its great selling points.
However, it’s a blockchain’s immutability that would seemingly run it afoul of the General Data Protection Regulation (GDPR). Recounting the main selling points of blockchain, many would assume that the enhanced privacy measures of using a blockchain would help it with GDPR, and yet, the inability to remove data from the blockchain makes it equally incompatible in its most baseline form.
Transparency, Privacy, and Avoiding Traditional Data Collection
Transparency and privacy seem to be incompatible, and yet, both are achieved by blockchain technology, per Investopedia. Transparency is achieved by virtue of the blockchain being a public ledger. Everything put into the blockchain needs to be approved by the blockchain, with each new node having its own copy of the chain. So, activities on the blockchain can be tracked and, if downloaded, you could see a complete activity log.
Most blockchains, like the famed original that underpins Bitcoin, aren’t anonymous. They are, instead, pseudo-anonymous, because activities can be traced to a digital address that, were someone to reveal their data, could then indicate who is behind that digital address. However, the identifying information behind the publically viewable transactions isn’t accessible. It makes blockchains private and secure in the majority of instances.
This capacity of the blockchain does allow businesses to seemingly avoid the kinds of data collection that GDPR was originally made to offer protections against. As the blockchain stores only the essential data, like transactions to digital, non-identifiable addresses, platforms like PeerGame do away with the registration process. People don’t need to input their bank details, names, or addresses to play the games, which is a huge boost to personal data privacy.
Adjusting Blockchain to Comply
Obviously, blockchain is a unique case study into how GDPR can and should be applied. It both keeps data private and secure while also needing permanence in its data collection. The EU adopted its updates to its 1995 data protection directive in 2016, and it became applicable in May 2018. So, while blockchain was a known entity to those in crypto circles, it perhaps wasn’t understood well enough at the time that the regulations were penned.
At some point, though, GDPR will need to reckon with blockchain, or the technology will need to find a way to be compliant. One of the main sticking points is the Right to be Forgotten under Article 17(1). People should be allowed to demand that their personal data is erased upon request. This can’t happen on a standard blockchain. Still, blockchains are programmed technology, so there will be a way to work around this issue.
According to an analysis of several studies into this topic by Nature, aligning blockchain technology with the Right to be Forgotten rule of GDPR would come down to creating a form of access control. With this control, the logic for deletion and alteration requests could be steered towards silently deleting data without influencing other nodes and data-writing procedures. By applying smart contracts in a specific way, personal data could belong only to that user.
While some corners of the crypto community are finding ways to essentially be very compliant with the intended applications of GDPR, the way that the blockchain works does put it on a collision course with the regulations by definition. To adjust, it seems more likely that blockchain creators will create ways to become compliant rather than GDPR being bent to accept the new tech.
