Blockchain and GDPR – You’re Doing It Wrong
The EU GDPR shift has business in a bit of a fit, to say things mildly. Further, the impact of combining Blockchain and GDPR has tied some technology-focused solutions in knots.
I argue here that there are solutions – but they need to be dealt with now.
The impacts of GDPR can’t be underestimated – but they can be mitigated. If you want to understand the issues, I find this Wired UK article to be a pretty solid explainer of GDPR.
The most significant impact is the new “regime of fines” layered on top of new requirements and obligations. This combination creates an existential threat for companies operating in the EU.
But what do you do if you have a blockchain-based solution deployed or in development that seems impossible to align with GDPR requirements?
The nut of discussions about Blockchain and GDPR is pegged around what seem to be opposed needs – but that’s not true. Some parts (e.g. right to be forgotten) seem hard – but if you use blockchain correctly, it becomes incredibly powerful.
NOTE: This article will evolve – I’ll be adding to it from time to time. I’ll do my best to list updates at the bottom. Some updates will be driven by questions and work I am doing – others will respond to respectful commenters.
Blockchain and GDPR
Many peddlers of FUD (fear, uncertainty and doubt) have been saying that GDPR and Blockchain are incompatible, but that’s a naive view. Blockchain-based solutions can provide immense value in a GDPR context, but if they are not created and maintained correctly, they can cause a massive problem.
Let’s discuss a few more complex and hairier aspects of GDPR and Blockchain.
Right to Be Forgotten.
Blockchain and GDPR seem at odds here. How can data on an immutable ledger be “forgotten”? For many naive solutions, it can’t, which means a massive GDPR liability amongst other ramifications.
A proper system anchors information to a ledger but does not put the actual data in the ledger. Further, it uses unique pairwise identifiers to ensure minimal correlation risk, which means you and your bank would have a unique set of identifiers that are meaningless to anyone else. If you sever the relationship, you stop acknowledging that identifier, assuming you’ve done your homework.
Alternately any data written to a blockchain/ledger could be uniquely encrypted. Hence, outsiders have no reasonable ability to see the information – but how does the company assure a person that they can’t read it any longer?
Don’t Write Personally Identifiable Information (PII) To The Blockchain.
Here’s where many systems are incredibly naive. They treat a blockchain/ledger as a database. Bad mistake. It is a very poor database – slow, bulky, and hard to work with. Further, the ledger can’t be changed – this is a massive problem. If you have written PII to the blockchain, you may be way beyond help.
How Do I Know You Forgot Me?
Back to the GDPR and Blockchain side – what happens if I ask you to forget me? (note: I am in Canada, not the EU, but you get my point). You look and your blockchain and think, “oh sh**, it is immutable” – so what do you do?
- If you have used a blockchain properly, your Blockchain and GDPR problem may not be too bad.
- If you have written PII to the ledger, how can you tell me it is “gone”? Was it initially encrypted so only you and I could see it, and if so, can we destroy our keys?
- Do you need me to provide keys to access the data in the first place? (if so, I can say No, and we don’t have a problem).
The question here is whether or not your company can answer the question, “did you really forget me?”.
What Will You Do About GDPR?
I hear more and more C-level panic about GDPR. Boards are asking hard questions, and the CIO, CTO, and IT departments are struggling to provide answers. There are a few reasons for this struggle:
- Tech people speak “geek,” not “board speak” – translation, even using Google Translate, isn’t good.
- Boards are concerned about the massive GDPR liability – the impacts are horrendous and existential – putting new pressures on the tech team.
- Projects impacted by the combination of GDPR and Blockchain may have never considered the “forgotten” aspect. If your tech team went down the wrong path, you might need massive intervention to get into compliance.
- The overall impacts and obligations of GDPR are hard to grasp from a business and technical level fully. Perhaps they are understandable at each level, but confusion results when you tie the two together.
So what can a company do about Blockchain and GDPR?
- Get some talent to dive in with both the board level and the technology team. Find someone that “gets business” but has deep enough tech chops that they can do the “board speak” to “geek” translation. Your CIO/CTO may already do this – but they are likely already stretched too thin. Get someone to bolster them.
- Get a GDPR expert on compliance into place and a technical lead that can help translate the GDPR-ese into “board speak” and “geek” – without this, you’re driving partially blind.
- Start now – May 2018 is approaching fast. Even if you’re already underway, your board needs to know that you’re on track.
If you’re curious about what you can do – reach out. I’m happy to have a quick chat.