March of the blocks

5.1

How to meet the GDPR

challenge, part 1: keep personal

data off the blockchain

The most obvious way to avoid the application

of the GDPR to a blockchain solution is to avoid

processing any personal data as part of that

solution. Indeed, one crucial aspect of distributed

ledger technology, that data should be replicated

and maintained by various participants rather

than stored centrally, is somewhat at odds with

the GDPR's principles of data minimisation,

storage limitation, and purpose limitation.

The ideal means to resolve this dilemma is to avoid it

altogether. The breadth of the definition of personal data

in the GDPR, however, makes the keeping of all personal

data off the blockchain difficult in many circumstances.

We will look firstly at the problems associated with (1)

unique identifiers and (2) the inadvertent addition of

personal data to a blockchain.

The problem of unique identifiers

1 - The challenge

As discussed earlier, personal data can include unique

identifiers assigned to an individual such as an IP address

or, on a blockchain network, the address assigned to a

participant on the network. So, if:

• a participant on the network is an individual;

• the participant is assigned a particular address that

will be recorded against transactions on the network

involving the individual; and

• there is any reasonable way to link the individual's

address on the network to the identity of the individual

(for example, by linking that address with the

individual's IP address and then obtaining the identity

of the individual from the individual's internet service

provider by a court order),

then, the participant's address on the blockchain network

will be considered personal data under the GDPR. Given

the expanded definition of personal data under the GDPR,

it is also important to consider the data environment

within which the personal information sits, rather than

only focusing on information that is clearly, on its face,

personal data. After all, personal data under the GDPR also

includes information relating to an indirectly identifiable

individual, and this means that information which on

its own may not be personal data, can quickly become

personal data when brought together with other data

points to build a profile of an identifiable individual.

GDPR and the Blockchain I 21

Index

Page 0001
Page 0002
Page 0003
Page 0004
Page 0005
Page 0006
Page 0007
Page 0008
Page 0009
Page 0010
Page 0011
Page 0012
Page 0013
Page 0014
Page 0015
Page 0016
Page 0017
Page 0018
Page 0019
Page 0020
Page 0021
Page 0022
Page 0023
Page 0024
Page 0025
Page 0026
Page 0027
Page 0028
Page 0029
Page 0030
Page 0031
Page 0032
Page 0033
Page 0034
Page 0035
Page 0036
Page 0037
Page 0038
Page 0039
Page 0040
Page 0041
Page 0042
Page 0043
Page 0044
Page 0045
Page 0046
Page 0047
Page 0048
Page 0049
Page 0050
Page 0051
Page 0052