Page 0023

5.1

How to meet the GDPR

challenge, part 1: keep personal

data off the blockchain

The most obvious way to avoid the application

of the GDPR to a blockchain solution is to avoid

processing any personal data as part of that

solution. Indeed, one crucial aspect of distributed

ledger technology, that data should be replicated

and maintained by various participants rather

than stored centrally, is somewhat at odds with

the GDPR's principles of data minimisation,

storage limitation, and purpose limitation.

The ideal means to resolve this dilemma is to avoid it

altogether. The breadth of the definition of personal data

in the GDPR, however, makes the keeping of all personal

data off the blockchain difficult in many circumstances.

We will look firstly at the problems associated with (1)

unique identifiers and (2) the inadvertent addition of

personal data to a blockchain.

A

The problem of unique identifiers

1 - The challenge

As discussed earlier, personal data can include unique

identifiers assigned to an individual such as an IP address

or, on a blockchain network, the address assigned to a

participant on the network. So, if:

• a participant on the network is an individual;

• the participant is assigned a particular address that

will be recorded against transactions on the network

involving the individual; and

• there is any reasonable way to link the individual's

address on the network to the identity of the individual

(for example, by linking that address with the

individual's IP address and then obtaining the identity

of the individual from the individual's internet service

provider by a court order),

then, the participant's address on the blockchain network

will be considered personal data under the GDPR. Given

the expanded definition of personal data under the GDPR,

it is also important to consider the data environment

within which the personal information sits, rather than

only focusing on information that is clearly, on its face,

personal data. After all, personal data under the GDPR also

includes information relating to an indirectly identifiable

individual, and this means that information which on

its own may not be personal data, can quickly become

personal data when brought together with other data

points to build a profile of an identifiable individual.

GDPR and the Blockchain I 21

Index

  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052