US companies looking at blockchain as an expedient and inexpensive path to General Data Protection Regulation (GDPR) compliance should look skeptically. Oxford Senior Law Lecturer Michelle Finck recently wrote, “It is safe to assume that most blockchains are not GDPR compliant,” adding, “because they cannot implement” basic GDPR-guaranteed rights. The IT department, whose personnel may see blockchain as the path to all things digital, should be asked to take a deep breath and listen to the legal and compliance folks.
“Heresy!” may cry IT personnel, for whom blockchain is often as a shiny object is to a magpie. A calm, reasoned analysis, however, would show why blockchain may be fundamentally incompatible with the GDPR.
The General Data Protection Regulation, which goes into full effect on May 25, 2018, affects all organizations, wherever they are located, that provide goods or service to people within the 28 countries of the European Union or monitor the digital behavior of EU data subjects through, among other things, on-line profiling and following. It protects the personal data of these individuals – data that can be traced to an identifiable person. The GDPR provides these data subjects the right to access data held by an organization and to request its correction or deletion (sometimes called “the right to be forgotten,” and codified in Article 17 of the GDPR).
Blockchain is most well known as the algorithmic system by which virtual currencies such as Bitcoin are traded, but it’s been utilized for many other types of information management. At its essence, blockchain is, according to the publication FinTech Weekly, defined in plain English as “a permissionless distributed database (originally) based on the bitcoin protocol that maintains a continuously growing list of transactional data records hardened against tampering and revision, even by operators of the data store’s nodes” (emphasis supplied).
And here lies the conflict. While such illustrious publications as the Harvard Business Review have extolled the great potential of blockchain for management of even the most sensitive of personal information, medical records, blockchain is, as currently configured, fundamentally inconsistent with the GDPR for management of personal data because a core characteristic of blockchain is its immutability, its “tamper-proof nature.” If one cannot “tamper with,” i.e., revise, a subject’s data one cannot meet the requirements of the GDPR to provide for revision or deletion of that information.
Not all uses of blockchain will implicate GDPR because not all will involve personal data. But blockchain, as Lecturer Finck stated in her Oxford Law piece, is fundamentally inconsistent with GDPR for medical records, human resources, certain sales data and other data that can be traced to identifiable persons. Compliance and Legal should make this point clear to IT.
This series on the road to GDPR compliance will continue until May 25, 2018. If you have questions or need assistance in your GDPR initiative, please contact Kenneth N. Rashbaum.