Caught Between a block and a hard place: how are blockchains and the gdpr to co-exist?
The financial industry is amidst significant technological changes. Artificial intelligence, Big Data, and cloud-based technologies are transforming how we work. But, of all these advances, the most promising – and for some, the most worrying – is Blockchain technology.
What is Blockchain?
Simply put, blockchain is a decentralised ledger of nearly any recordable information. It is a form of Distributed Ledger Technology (DLT) that store data in blocks which then together form an unbroken and continuous chain of data. Blockchain technology has started to be integrated into accountancy through the use of cryptocurrencies such as Bitcoin.
There are currently three forms of blockchain: public permisionless, public permissioned and private permissioned. Put simply, a public blockchain is completely open and can be accessed by anyone, which implies little to no privacy and only supports a weak notion of security. On the other hand, private blockchain networks require an invitation – only entities participating in a particular transaction will have access to it.
Blockchain & GDPR
Recently, there have been many discussions over the compatibility of Blockchains and the General Data Protection Regulation (GDPR). Many blockchains will be subject to the GDPR as they hold personal data, which even if encrypted, falls under Article 29 Working Party, qualifying the data as personal. In addition, blockchains operate globally which automatically places it under regulations of the GDPR due to the issue of numerous cross-border regulations.
A majority of the incompatibility is identified within the public and permissionless blockchains. Blockchains are decentralised databases, making it difficult to determine the exact privacy role of each party involved. Blockchains are immutable by nature, therefore it is not possible to remove data as it is backed up onto all blocks Any unwanted information will always be present in the blockchain, if data needs to be updated, an entirely new block must be constructed. This raises further questions regarding privacy as well as lawful data processing in terms of the storage limitation principle (GDPR Article 5(1)(e)).
Both GDPR and the blockchain system aim to provide increased security and control over the exchange of data to individuals. Although both may have the same objective, amendments and further discussions are required to determine their positions in relation to one another.
This article is for general information only. Its content is not a statement of the law on any subject and does not constitute advice. Please contact KaurMaxwell for advice before taking any action in reliance on it.