We use cookies on all our websites to gather anonymous data to improve your experience of our websites and serve relevant ads that may be of interest to you. Please refer to the cookies policy to find out more.

By continuing, scrolling the page or clicking a link, you agree to the use of cookies.

Blockchain and the GDPR

03 July, 2019Ashley Kemball-Cook and Lucie Munier

The internet allows us to make direct payments without using third parties like banks. But can you trust counterparties without an intermediary? Ashley Kemball-Cook and Lucie Munier examine this issue and the relationship between the General Data Protection Regulation (GDPR) on privacy and blockchain technology.

pc screen with data

Traditional financial services rely on trusted intermediaries such as banks. Those intermediaries provide a number of services – such as ensuring that digital ‘cash’, just like physical money, cannot be double-spent.

Just as importantly, they guarantee data privacy.

The rise of the internet promises a world in which payments can be made directly, without the cost or friction of employing a third party.

The question, however, is whether it is possible to have trust in counterparties without an intermediary like a bank – the problem famously addressed by the distributed ledger technology of blockchain.

Using blockchain, a peer-to-peer network can create an immutable and transparent ledger. However, both of those advantages, immutability and transparency, raise another issue – privacy and data control.

In a recent paper in the Journal of Securities, Operations and Custody, we looked at the relationship between the General Data Protection Regulation (GDPR) on privacy and blockchain technology. Here are some of our key findings.

Right to be forgotten

GDPR has a number of provisions, but one of the most important is the ability of individuals to erase personal data. But this can be impossible on a distributed, public network on which hundreds of individuals around the globe can hold data.

Second, GDPR stipulates that organisations should identify the data controller – the entity that will be responsible for handling any breaches of GDPR. Again, this is impossible in distributed, public networks. That does not mean, however, that blockchain cannot be compliant with GDPR regulation.

Choose private over public

Public blockchains do not have to broadcast all data. For example, the identities of the recipients of funds can be kept private, just as stock exchanges do not announce who bought a bundle of shares.

However, the point is still that there should be transparency. A private network can be much more restrictive.

There are different schools of thought on the benefits of taking a blockchain private, but more business and compliance risks are mitigated when that is done.The reason is that, within a private network, organisations can put rules in place to manage various sensitive issues that the GDPR raises around an individual’s right to erasure and the need to define who in the network is the data controller

Three main steps to achieving compliance with GDPR

Data usage

It is important to assess what data is needed and how it will be used for two reasons:

  1. to minimise the use of both personal data and data more generally
  2. to enable the documentation of why this data is needed

Store data off-chain

Storing data off the blockchain means that data is on a more standard database, but an identifier for the data is referenced on the blockchain. This use case still benefits from an immutable ledger of actions, but complies with the right to erasure and rectification to correct any false information.

Document and communicate

The GDPR was never designed to stifle innovation. The aim was to make organisations treat personal data responsibly.

Keeping a compliance and decision log will ensure that you can prove that the business made appropriate and proportionate decisions when implementing a project.

Within this documentation it is important to include:

  • what data is being stored
  • why it is appropriate for the business case
  • how it is protected
  • and the options evaluated.

There are outstanding areas that need to be addressed in depth before being confident in the compliance of a project. For these areas, I would recommend reading our paper in full or staying tuned for further bite-sized articles.

To read the full article, please refer to the Journal of Securities, Operations and Custody or contact ashley.kemballcook@qad.re

Find out more about our Centre for Digital Banking and Finance

Ashley-Kembell-CookAshley is Co-Founder and Head of Business Development for Qadre, a blockchain product development firm. He has led blockchain projects across the pharmaceutical industry, luxury goods and media and advised in law firms, tech companies, regulators, the EU Parliament, the UN, and USAID. With Disberse, Ashley worked with the Financial Conduct Authority (FCA) to issue the first international distribution of humanitarian aid on a blockchain.

Lucy Munier

Lucie has experience across Asia within KPMG in their High Growth Group and with an innovative cybersecurity firm in Geneva. She currently combines her experience with high-growth innovation and her Law degree to lead Qadre’s work on policy and business development – working with the European Parliament and the UK Government. She also co-leads the international GovChain research project, researching the most successful blockchain projects around the world.