The EU’s General Data Protection Regulation (GDPR), due to be enforced on 25 May, implements new rights for people accessing the information companies hold about them and business obligations for better data management. GDPR defines personal data as “anything that relates to an identifiable, living individual whether it actually identifies them or makes them identifiable”. Luke Sayer asks if the two are in any way compatible.
We are continuously advising companies of the need to explain their data processing through applicable policies. How companies handle personal data will vary; the GDPR recognises this by creating distinctions between data controllers and data processors. A data controller is an entity that determines the purpose and manner that personal data is used. A data processor processes the data on behalf of the controller, i.e. obtaining, recording, adapting and holding personal data.
The GDPR aims to give individuals the right of control and power over who can access their data. One such right is the right to have inaccurate personal data rectified, blocked or destroyed where applicable. Further to this, individuals will have the right to be forgotten; their data transferred to another data storage provider, or deleted entirely.
Companies will be more accountable than ever for their handling of data, so how can the much-heralded blockchain technology assist.
blockchain Originally developed as the accounting method for the virtual currency Bitcoin, blockchains – which use what is known as distributed ledger technology (DLT) – are appearing in many commercial applications today. The technology is primarily used to verify transactions within digital currencies though it is possible to digitise, code and insert any document into the blockchain. This creates an indelible record that cannot be changed; furthermore, the record’s authenticity can be verified by the entire community (each a node, i.e. computer connected to the network) using the blockchain instead of a single centralised authority.
On a public blockchain, you can browse the complete history of all transactions. Each transaction will be linked to a public key, representing a particular user. Although that key is encrypted, it is possible to trace all transactions associated with a public key – specifically to ensure that the individual is associated with each transaction to avoid ‘double spending’ of an asset.
Under the comprehensive definition of personal data within the GDPR, it is possible that a public key associated with an individual will qualify. In theory, the public key might display information (maybe an IP address or connection with a website) that allows an individual to be identified via blockchain forensics. This is certainly not possible on all occasions but remains a valid concern when considering blockchain technology against the backdrop of the GDPR.
In summary, the two main features of the blockchain are: (i) information cannot be removed from the blockchain; and (ii) information transiting through the blockchain is visible to every node (subject to the public/private blockchain distinction below).
The difference between public and private blockchains The sole distinction between public and private blockchains is related to participation in the network, execution of the consensus protocol and maintenance of the shared ledger. A public blockchain is accessible and anyone can participate in the network. Bitcoin is the best example of a public blockchain.
A private blockchain requires an invitation, with validation required by either the network starter or a set of rules implemented by them. Businesses that set up a private blockchain will generally set up a permissioned network, i.e. one that restricts participation in the network and in what transactions. Only entities participating in a particular transaction will have knowledge and access to it.
