Page 0009

1 Use a private, permissioned

blockchain.

While the most common vision of blockchain is of a

fully public, permissionless network, there are a wide

variety of blockchain solutions, many of which are in

fact private and require permission to join. Because

anyone can join a public permissionless blockchain,

it is impossible to ensure participants agree to

necessary rules around the protection of personal

data. As a result, the only clearly effective way of

achieving a GDPR-compliant blockchain solution is by

using a private, permissioned blockchain.

2 Avoid, if possible, the storing

of personal data on the

blockchain.

The most obvious way to avoid GDPR compliance

issues is, predictably, to employ a blockchain solution

that avoids processing any personal data. While

keeping a blockchain completely free of personal data

will be very difficult to achieve, this should not prevent

efforts being made to keep personal data off-chain

(as far as it is possible to do so). This may be done,

for example, by storing an encrypted anonymous hash

of the personal data on-chain, with the underlying and

identifiable personal data being kept off-chain, and

also by minimising free form data.

3 Implement a detailed

governance framework.

Given: (a) the need to ensure that personal data is

adequately protected; (b) the requirements under the

GDPR to establish contractual relationships governing

the processing of personal data between parties; and

(c) the legal obligations on data controllers to provide

individuals with privacy notices and a means to

uphold their personal data rights, a GDPR-compliant

commercial blockchain solution will require a detailed

governance framework that is contractually binding on

all participants and clearly sets out each party's rights

and responsibilities.

4 Employ innovative solutions

to data protection problems.

The immutable nature of blockchain data is the

one element of the technology which clashes most

obviously with data subjects' rights under the GDPR,

especially the right to erasure (the so-called right to

be forgotten) and the right to rectification (i.e. to

have incorrect personal data corrected). However,

through reliance on innovative solutions such as the

use of advanced irreversible encryption as a means of

deletion, it is possible to comply with the spirit and

(we argue) the policy of data protection legislation, if

not yet fully the word.

Ultimately, we are calling on regulatory authorities and

technology providers to take any reasonable remaining

steps necessary to address the outstanding privacy

challenges posed by blockchain.

If these steps are not taken, there is a risk of a stall in (or

even end to) investments in blockchain companies who

are developing innovative solutions that could, in the

long-run, benefit the world as a whole.

GDPR and the Blockchain I 7

Index

  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052