1 Use a private, permissioned
blockchain.
While the most common vision of blockchain is of a
fully public, permissionless network, there are a wide
variety of blockchain solutions, many of which are in
fact private and require permission to join. Because
anyone can join a public permissionless blockchain,
it is impossible to ensure participants agree to
necessary rules around the protection of personal
data. As a result, the only clearly effective way of
achieving a GDPR-compliant blockchain solution is by
using a private, permissioned blockchain.
2 Avoid, if possible, the storing
of personal data on the
blockchain.
The most obvious way to avoid GDPR compliance
issues is, predictably, to employ a blockchain solution
that avoids processing any personal data. While
keeping a blockchain completely free of personal data
will be very difficult to achieve, this should not prevent
efforts being made to keep personal data off-chain
(as far as it is possible to do so). This may be done,
for example, by storing an encrypted anonymous hash
of the personal data on-chain, with the underlying and
identifiable personal data being kept off-chain, and
also by minimising free form data.
3 Implement a detailed
governance framework.
Given: (a) the need to ensure that personal data is
adequately protected; (b) the requirements under the
GDPR to establish contractual relationships governing
the processing of personal data between parties; and
(c) the legal obligations on data controllers to provide
individuals with privacy notices and a means to
uphold their personal data rights, a GDPR-compliant
commercial blockchain solution will require a detailed
governance framework that is contractually binding on
all participants and clearly sets out each party's rights
and responsibilities.
4 Employ innovative solutions
to data protection problems.
The immutable nature of blockchain data is the
one element of the technology which clashes most
obviously with data subjects' rights under the GDPR,
especially the right to erasure (the so-called right to
be forgotten) and the right to rectification (i.e. to
have incorrect personal data corrected). However,
through reliance on innovative solutions such as the
use of advanced irreversible encryption as a means of
deletion, it is possible to comply with the spirit and
(we argue) the policy of data protection legislation, if
not yet fully the word.
Ultimately, we are calling on regulatory authorities and
technology providers to take any reasonable remaining
steps necessary to address the outstanding privacy
challenges posed by blockchain.
If these steps are not taken, there is a risk of a stall in (or
even end to) investments in blockchain companies who
are developing innovative solutions that could, in the
long-run, benefit the world as a whole.
GDPR and the Blockchain I 7