Security and risk managers must consider how GDPR applies to enterprise-sanctioned blockchain and personal data.
.jpg)
Garth Landers, Research Director, Gartner
Enterprises looking to enact blockchain technology must now also determine whether or not the information is subject to the EU’s General Data Protection Regulation (GDPR). Further, enterprises must explore if, at its core, blockchain is fundamentally a violation of GDPR. For example, a core tenet of blockchain is immutability or the idea that once data is recorded, it cannot be modified, versus the GDPR’s requirement that consumers be able to erase personal data.
Although blockchain might be initially seen as incompatible with the GDPR requirements, the reality is that enterprises must exercise caution and judgment — not that blockchain is no longer an option.
GDPR and blockchain form a powerful intersection of emerging governance and technology trends, although their unique characteristics raise immediate concerns about their mutual compatibility. Security and risk management leaders must implement safeguards to ensure that any blockchain designs comply with GDPR.
Identify whether GDPR applies
GDPR will generally be applied to any enterprise-sanctioned blockchain that contains personal data. Because of the breadth of the regulation, it’s possible enterprises won’t actually realize that it applies to their blockchain. Consider the following three questions when assessing your blockchain:
1.Do you offer goods or services to people in the EU?
2.Do you profile or monitor behavior (including online activity) of people residing in the EU?
3.Do you process personal data on EU residents on behalf of a company in the EU?
A “Yes” to any of these questions warrants further investigation into whether or not the technology is subject to GDPR. Don’t forget that even companies located outside of the EU are subject to the regulations if they work with data of EU citizens. Enterprises definitely want to establish whether GDPR applies, as noncompliance can incur a sanction to a maximum of 20 million euros or 4% of annual turnover, whichever is higher.
Blockchain’s immutability vs. personal data rights
GDPR contains a section dealing with “rights of the data subject.” This includes things such as people’s’ right to access the information processed on them, the right to correct and amend that information, and the right to take it elsewhere and erase it. Erasure or “the right to be forgotten” allows for deletion or removal of personal data where there exists no compelling reason for continued processing. Companies must have a protocol for removing the information, which at first glance is difficult for blockchain due to its immutability. However, the regulation also allows for pseudonymization, which allows companies to replace a name with a relatively anonymous label. Alternatively, it’s possible to create a blockchain where no personal information is stored in the chain, just a reference to the data, which is stored as a hash or token.
It’s possible to have blockchain and remain compliant with GDPR. However, it requires security and risk experts to work with blockchain architects to ensure all data is stored in a way that does not violate privacy laws. This might be done by, as noted, storing data differently or even architecting the blockchain in a permissioned way.