To assess GDPR’s compatibility with Blockchain (or Ephemeral Blockchain in this case) it is important to define each of them first and then look at where the two overlap or intertwine.
GDPR is a shortened form of the General Data Protection Regulation initiated on 25th May 2018 to be implemented throughout the member states of the European Union (EU) in Europe. It was designed for companies or entities who deal and manage personal information to be transparent about:
- What particular personal data is being collected
- What they intend to use it for and
- How they are going to use it
This can only happen with the consent of the individual whose personal information it is. The GDPR sets out seven key principles:
- Lawfulness, fairness, and transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity and Confidentiality (security)
These principles should lie at the heart of any company’s approach to processing the personal data of customers. It may be a limited way of thinking by only thinking this applies to companies or commercial businesses but this is applicable to charities and organisations in the tertiary sector too.
Blockchain, globally recognised as the technology behind popular Cryptocurrency Bitcoin, is a technology used to safely and securely store transaction history through nodes (or computers that operate) in a network. The unique thing about it is that through a process known as cryptography none of the transaction history stored using the technology can be modified or changed. This is otherwise known as immutability. Previous information on these transactions stored cannot be tampered with. People in the network act as gatekeepers of the platform.
What is Ephemeral Blockchain you may ask? The slight contradiction to the explanation above, as not all Blockchains are created equal. It is a Blockchain that only exists for a certain amount of time. You see, the word ephemeral means:
‘lasting for a very short time’
Thus an ephemeral blockchain is a blockchain that exists for a short period or a limited amount of time.
How are the two compatible? What do each of these principles mean?
Blockchain is known for its transparency and its ability to show if a transaction has occurred, thus the 1st GDPR principle of transparency has been met, however when looking at lawfulness and fairness they can be addressed through the understanding of what Blockchain really is.
Besides being a technology, blockchain can also be interpreted as a network too. A network of nodes or individual computers that behave like a governance structure for what goes on within the bloc. The lawfulness can be assessed through the process of who is allowed on the platform or what criteria you need to fulfill to join. If that is established, then lawfulness can be met.
Ephemeral Blockchain: a Blockchain that exists for a short or limited period of time
Lastly, fairness can be satisfied through the strength of the network the Blockchain forms. A block of information can only be added through the verification by a collaboration of individuals or nodes in the network.
Purpose limitation in GDPR addresses the original purpose for which data was to be used for and the reason it was collected. The purpose limitation principle prevents the use of personal data for new purposes if they are incompatible with the original purpose for collecting the data, where GDPR contains more detail on assessing what constitutes compatibility of purpose. This can be achieved in Blockchain using a smart contract. A smart contract is a computer program that directly controls the transfer of digital currencies (in the case of Bitcoin and cryptocurrencies) or assets between parties under certain conditions. It is a computer protocol (or can be interpreted as a process or a procedure) intended to facilitate, verify or enforce the negotiation or performance of a contract digitally.
Smart contracts, in this case, can reduce misuse of personal data and prevent the data processed and collected from not being used for the purpose for which it was intended for. If the personal data collected is to be used for a different purpose a new smart contract would need to be created.
Data Minimisation is a principle that states that data collected and processed under GDPR should not be held or further used unless it is essential to do so for reasons that are stated in advance to support data privacy. How does Blockchain satisfy that? The Ephemeral Blockchain because it self-destructs after a short period of time, this means you can program (again in the form of a smart contract) how long the data needs to be held before it and the information on it expires.
Accuracy, can some extent, depend on who is inputting the data and can be subject to human error. GDPR states that the accuracy principle is:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
Individuals have a stronger right to have inaccurate personal data corrected under the right to rectification than would be possible under the Data Protection Act 1998 in the UK. If you want to correct data in a previous block this can be done by either:
1) Add a new block of information with the correct data (as quickly as possible)
2) Store the information on an Ephemeral Blockchain – so that it has to be erased by virtue of not existing on the blockchain for a long period of time
Overall, modifying information already in the blockchain requires remining blocks, i.e. re-adding the transaction record to the history of transactions on the blockchain. After a block has been added to the chain, this will take a lot of computing power to do. So much computing power, in fact, that modifying blocks becomes very difficult to do.
Data collected and processed under GDPR should not be held or further used unless it is essential
Data Controllers should only store personal data for as long as is necessary for the specific purpose for which it was obtained. This can be addressed using Ephemeral Blockchain. According to the Data Protection Act, the storage limitation principle does not apply to personal data that has been anonymised and cannot be re-associated with the particular data subject.
Integrity and confidentiality (security)
Integrity and confidentiality in GDPR the focus is on ensuring that appropriate security measures in place to protect the personal data held. This is the also known as the security principle. Blockchain is known for its security and robustness. Blockchain is secure because of Cryptography, the process of encryption. Encryption is a way of turning data into code so that the intended party for which the message was sent, receives the message.
Cryptography makes it secure by creating a unique private key for each block of information on the blockchain that only accesses the specific block that private key is assigned to. If there is an attempt to open block the private key was not designed to access it will not work. It can also act as a personal digital signature.
Accountability is one of the data protection principles – it makes you responsible for complying with GDPR and says that you must be able to demonstrate compliance. You need to put in place appropriate technical and organisational measures to meet the requirements of accountability. How can this be demonstrated using Blockchain? Having a public record and audit trail of the measures, processes, procedures that have occurred to ensure GDPR Compliance and to show the compliance measures that have been taken. Blockchain would maintain records of procedures and compliance activities and can be used to help compliance officers keep track of the steps required by complex regulations.
In the face of overwhelming evidence, Ephemeral Blockchain can address GDPR principles and requirements that Blockchain (in its simplified definition) alone did not, but GDPR is not about giving specific rules and regulations… it is about epitomising and encapsulating the spirit of the general data protection regime. The principles are designed to stay relevant and current, whilst acknowledging that legislators will have to adapt and examine unprecedented scenarios that arise from technical and commercial progress. Fortunately, with the features of Ephemeral blockchain (as opposed to blockchain itself) it is possible to fulfil GDPR requirements and legislation for any business or institution that chooses to use this nascent technology.
Connect with Christiana on LinkedIn and Twitter