The EU GDPR shift has business in a bit of a fit to say things mildly. Further, the impact of combining Blockchain and GDPR has tied some technology-focused solutions in knots. I argue here that there are solutions – but they need to be dealt with now.
The impacts of GDPR can’t be underestimated – but they can be mitigated. If you’re looking to understand the issues, I find this Wired UK article to be a pretty solid explainer for GDPR. The biggest impact is the new “regime of fines” that are layered on top of new requirements and obligations. This combination creates an existential threat for companies operating in the EU. But what do you do if you have a blockchain based solution deployed or being built that seems impossible to align with GDPR requirements?
The nut of discussions about Blockchain and GDPR are pegged around what seem to be diametrically opposed needs – but that’s not true at all. Some parts (e.g. right to be forgotten) seem hard – but if you use blockchain correctly it actually becomes incredibly powerful.
NOTE: This article will evolve – I’ll be adding to it from time to time. I’ll do my best to list updates at the bottom. Some updates will be driven by questions and work that I am doing – others to respond to respectful commenters.
Blockchain and GDPR
Many peddlers of FUD (fear, uncertainty and doubt) have been saying that GDPR and Blockchain are incompatible but that’s a naive view. Blockchain-based solutions can provide immense value in a GDPR context but if they are not created and maintained correctly they can create a massive problem.
Let’s discuss a few of the harder and hairier aspects of GDPR and Blockchain.
Right to Be Forgotten
Blockchain and GDPR seem at odds here. How can data on an immutable ledger be “forgotten”? For many naive solutions it can’t and that means a massive GDPR liability amongst other ramifications. A proper system anchors information to a ledger but does not put the actual information in the ledger. Further it uses unique pairwise identifiers to ensure that there is minimal correlation risk. This means you and your bank would have completely unique set of identifiers that are meaningless to anyone else. If you sever the relationship you just stop acknowledging that identifier, assuming you’ve done your homework.
Alternately any data written to a blockchain/ledger could be uniquely encrypted so outsiders have no reasonable ability to see the information – but how does the company assure a person that they can’t read it any longer?
Don’t Write Personally Identifiable Information (PII) To The Blockchain
Here’s where many systems are incredibly naive. They treat a blockchain/ledger as a database. Bad mistake. It is a very poor database really – slow, bulky, and hard to work with. Further it can’t be changed – this is a huge problem if you have written PII to the blockchain you may be way beyond help.
How Do I Know You Forgot Me?
Back to the GDPR and Blockchain side – what happens if I ask you (note: I am in Canada not the EU, but you get my point) to forget me. You look and your blockchain and think “oh sh**, it is immutable” – so what do you do?
- If you have used a blockchain properly your Blockchain and GDPR problem may not be too bad.
- If you have written PII to the ledger how can you tell me that it is “gone”? Was it initially encrypted so only you and I could see it, and if so can we destroy our keys? Do you need me to provide keys to access the data in the first place (if so I can say No and we don’t have a problem).
The question here is whether or not your company can answer the question “did you really forget me?”.
What Will You Do About GDPR?
I’m hearing more and more C-level panic about GDPR. Boards are asking hard questions and the CIO, CTO, and IT departments are struggling to provide answers. There are a few reason for this struggle:
- tech people speak “geek” not “board speak” – translation, even using Google Translate, isn’t good.
- boards are concerned about the massive GDPR liability – the impacts are horrendous and existential – and that puts new pressures on the tech team.
- projects that are impacted by the combination of GDPR and Blockchain may have never considered the “forgotten” aspect. If your tech team went down the wrong path, you may need a massive intervention to get into compliance.
- the overall impacts and obligations of GDPR are hard to fully grasp from a business level and technical level. Perhaps they are understandable at each level – but when you tie the two together confusion results.
So what can a company do about Blockchain and GDPR?
- Get some talent to dive in with both the board level and the technology team. Find someone that “gets business” but has deep enough tech chops that they can do the “board speak” to “geek” translation. Your CIO/CTO may already do this – but they are likely already stretched too thin. Get someone to bolster them.
- Get a GDPR expert on compliance into place and a technical lead that can help translate the GDPR-ese into “board speak” and “geek” – without this you’re driving partially blind.
- Start now – May 2018 is approaching fast. Even if you’re already underway your board needs to know that you’re on track.
If you’re curious about what you can do – reach out. I’m happy to have a quick chat.
- 2017-12-15 – initial article
Also published on Medium.