Blockchain And GDPR: A Rock And A Hard Place

Uploaded on 2018-05-02 in TECHNOLOGY-Key Areas-Blockchain, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, TECHNOLOGY--Developments

Blockchain and other emerging distributed ledger technologies offer the promise of increased security, transparency and resilience based on the use of distributed, immutable records. At the same time, the European Union General Data Protection Regulation (GDPR), which takes effect May 25, 2018, governs the use and protection of personal data collected from or about any European Union resident.

Personal data is defined very broadly and includes any information relating to an identified or identifiable natural person.

Under current EU legal interpretations, this includes encrypted or hashed personal data as well as public cryptographic keys that can be tied to a private individual.

The penalties for failing to comply with the GDPR are harsh including fines of up to the greater of €20 million or 4% of a company’s annual worldwide revenue.

The GDPR: Centralised, Restricted and Removable

The GDPR was developed based on an assumption that collected personal data would be controlled by an identifiable data controller and processed by the data controller or by a finite number of identifiable data processors and sub-processors. In order to protect the use of personal data, data controllers and processors must control who accesses the personal data, where and to whom it is transferred, and by whom it is accessed.

The GDPR gives EU residents enforceable rights with respect to their personal data, including:

•    the right to erasure of personal data when the personal data is no longer needed for the purpose for which it was collected, when the individual withdraws consent, or when continued processing of the data is unlawful;
•    the right to require correction of incorrect data; and
•    the right to restrict processing when the data accuracy is contested, when processing is no longer necessary, or when the individual objects.

These rights are understandable in the context of a centralized database controlled by a single data controller with a finite set of processors. But how well do they mesh with distributed ledger technology?

Blockchain: Decentralised, Distributed and Immutable

Blockchains can either be open to anyone (such as Bitcoin) or permissioned (limited to a specific set of participants). With a permissioned blockchain, the organisation that sets up the permissioned blockchain is the data controller and is responsible for compliance with GDPR.

In an open blockchain, every individual and organisation that adds EU personal data to the blockchain may be a data controller and may be responsible for compliance with GDPR. Similarly, every node on either an open or permissioned blockchain is, at a minimum, a data processor and may be a data controller depending on the blockchain governance arrangement.

Blocks typically include a header and encrypted content (the payload). Open blockchains allow anyone to view the header. Permissioned blockchains may have options for controlling who can view different parts of the transaction. The blockchain is a trusted record source because the data within each block cannot be changed and blocks cannot be removed.

Can Blockchains and the GDPR be Reconciled?

Not for open blockchains and not easily for permissioned blockchains using currently available technology and current EU data protection interpretations. The two biggest hurdles are control and data removal.

The data controller is liable for controlling access, dissemination, processing and sub-processing of personal information. This is effectively impossible for an open blockchain and will require significant attention and diligence for a permissioned blockchain.

As one example, the data controller needs to have a written data processing agreement in place with each data processor, which means with the owner of every node in the blockchain.

With respect to data removal, two possible solutions are:

  • Off-chain storage
  • Building in processes to make personal data permanently inaccessible (“blacklisting”)

Off-Chain Storage

One option is to store personal data outside of the blockchain and store only a reference (link) to the data and a hash of the data on the blockchain. This allows the removal (erasure) of the personal data without breaking the blockchain. However, this approach defeats many of the benefits of distributed ledger technology, such as security and resilience through redundancy.

Blacklisting

“Erasure” of data is not defined in the GDPR. Greg McMullen of the Interplanetary Database Foundation suggests that destroying the cryptographic key that would allow access to encrypted personal data should be considered to be the equivalent of erasure if the destruction is done in accordance with best practices and in an auditable way. We’ll have to wait for some rulings by Data Protection Authorities to see whether this view will be accepted.

Bottom Line

If you are building a permissioned blockchain, build it with the GDPR in mind. Understand:

  • who will have access to any EU personal data
  • how the data will be controlled
  • how you will comply with requirements to control processors, and
  • how you will respond to requests from individuals to view, correct, erase and restrict their personal information.

Tripwire:

You Might Also Read: 

AI And Blockchain In A Disruptive World:

A New Distributed Database Adds GDPR Controls:

 

« Facebook Collects Your Data Even If You Don’t Use Facebook
Half Of Music Business Revenue Is From Streaming »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

SAMATE

SAMATE

The Software Assurance Metrics And Tool Evaluation project is an inter-agency project between the US Department of Homeland Security and NIST.

Hogan Lovells

Hogan Lovells

Hogan Lovells is an international business law firm with offices across Europe, Asia and the USA. Practice areas include Privacy & Cybersecurity.

SISA

SISA

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive and corrective cybersecurity solutions.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

Swiss CyberSecurity

Swiss CyberSecurity

Swiss CyberSecurity is a non-profit group based in Geneva, set up to provide information and as a forum for discussion of topics related to CyberSecurity.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Culinda

Culinda

Culinda secures medical IoT devices in hospitals with An Artificial Intelligence platform and security gateway.

TruNarrative

TruNarrative

TruNarrative provides a unified solution for Identity Verification, Fraud Detection, eKYC, Risk Assessment, AML Compliance and Account Monitoring.

Beazley

Beazley

Beazley are a specialist insurer with three decades of experience in providing clients with the highest standards of underwriting and claims service worldwide.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

Archer Technologies

Archer Technologies

Archer helps organizations manage risk in the digital era—uniting stakeholders, integrating technologies and transforming risk into reward.

C/side (cside)

C/side (cside)

At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript.

SoConnect

SoConnect

SoConnect provides safe, secured, and taken care of IT, with infrastructure built around you and your business.

Boston Government Services (BGS)

Boston Government Services (BGS)

Boston Government Services is an engineering, technology, and security firm providing mission-focused solutions for the clean energy, nuclear, and federal programs markets.

CyberForceHQ

CyberForceHQ

CyberForce helps cyber security professionals take real-world tests, get ranked and get paid better. It's that simple.