The European Union General Data Protection Regulation (“GDPR”) was approved by the EU Parliament on April 14, 2016, and came into force and effect on May 25, 2018. Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. As such, PlannerScape will be subject to the GDPR regulation when it develops business and clients in the EU region.
Being a SaaS company, PlannerScape takes GDPR legislation and privacy in general as one of its main concerns. Therefore, PlannerScape’s platform is designed and developed with privacy in mind. We also utilize blockchain technology and there are specific concerns related to the GDPR. This article describes those concerns and how we are addressing them.
What is GDPR?
The GDPR is the most important change in data privacy regulation in 20 years which replaced the Data Protection Directive 95/46/EC. The GDPR regulation aims to strengthen privacy and personal data protection in the EU, by granting individuals more control over their personal data. The regulation will fundamentally reshape the way in which data is handled across every sector, including the blockchain industry, with the risk of heavy fines in case of non-compliance.
How does blockchain conflict with GDPR regulation?
The GDPR legislation contains explicit rules concerning the rights of the client/user, including right of consent, right to access, privacy by design, right to be forgotten, data portability, etc.
Blockchain is a relatively new technology and is not mainstream yet when GDPR legislation was being drafted. As a result, blockchain technology conflicts with GDPR regulation in several ways, the two main conflicting parts of which are:
- Privacy by design
- Right to be forgotten
Privacy by design
Privacy by design as a concept has existed for years, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. This means when developing our platform, PlannerScape should architect solutions with privacy matters as a foundational consideration rather than a secondary thought, including where in the world data is stored and/or transferred to. To be more specific, the GDPR provides that the data controller shall implement appropriate technical and organizational measures in an effective way in order to meet the requirements of the regulation and protect the rights of data subjects.
Right to be forgotten
According to the GDPR, the users and clients( referred to in the GDPR as “data subjects”) have the right to ask the data controller (in our case, PlannerScape) to correct his or her personal information in case of inaccuracy or to erase his/her personal data, ease further dissemination of the data, and potentially have third parties halt processing of the data. This “right to be forgotten” is the most important and critical provision of the GDPR from a blockchain point of view. It enables individuals to request PlannerScape the deletion of their personal information and all the data related to them from the database in which it is stored permanently. In other words, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or if the data subject withdraws consent on which the processing is based, there will be no legal ground for their maintenance.
Can blockchain technically comply with the GDPR regulation?
The next question is about technical compliance. Given the above requirements, can blockchain technology be used and/or modified in such a way that they are GDPR compliant? In order to answer this question, we must look at where blockchain conflicts with the GDPR.
Points of Conflict
It is not surprising that GDPR causes much debate and many concerns in the blockchain industry. While the GDPR was designed to be platform agnostic, the requirements for data editing and data deletion seem to be in direct conflict with the way the blockchain technology functions. The biggest features that are also technical conflicts from a GDPR perspective are:
- The identity of the data controller
Data controller: who controls the data?
While GDPR puts a lot of accountability on data controllers in centralized organizations, which are easy to define, it is another story for blockchain. It is very difficult to determine who falls within the GDPR defined roles and who really is in control of this data in a decentralized blockchain environment. The personal data could be partially or jointly controlled among the organization, the miners, the coders, and the user.
The major point of conflict between blockchain and GDPR is the previously mentioned right to be forgotten. GDPR mandates that it should be possible for any personal data of EU citizens stored within a business to be altered or deleted at the request of the individual to whom that data pertains.
The immutable nature of the blockchain’s decentralized ledger, ensuring the absolute integrity of the records in the chain in terms of security and accuracy, is a core idea within blockchain technology. Due to blockchain’s “immutability of records” principle, any data contained in the blockchain transactions are virtually impossible to modify or being erased to meet GDPR requirements. They stay there forever. Therefore, instead of the right to be forgotten, in blockchain, there is the right to never forget.
There is a lot of debate going around how to solve the GDPR compliance issues for blockchain. There is no perfect solution yet, but there are a few options available that can help solve parts of the problem.
- Off-chain storage
- Deletion of encryption keys
- Pseudonymization and anonymization
One potential solution that PlannerScape is employing is segregating the types of data stored on the chain. All personally identifiable information will be stored in a separate “off-chain” database, and it only has references and other information such as reviews and ratings along with a hash of this data in the blockchain. The corresponding hashes stored in the blockchain layer serve as control pointers to the GDPR-sensitive data. This can help with data editing, data deletion, and data control.
However, at the time of this writing, it is still unclear whether hashes constitute personally identifiable information as defined by the GDPR.
Deletion of encryption keys
An alternative solution which PlannerScape might use in the future is to keep personal information on the blockchain while making it impossible to access if the client/user demands deletion of the same. This could be achieved by such means as encrypting all personal data with key or hash that allows access to an individual’s information stored on the blockchain, and that could be revoked and deleted on request or after some interval.
In the event that a user/client requests his blockchain data to be erased, the key would be deleted. This would render their information unobtainable, and in effect, it would be lost in the blockchain permanently.
A technical and possible legal concern here is if the encryption scheme used for storing data becomes compromised. This would make all data on the blockchain publicly visible.
Pseudonymization and anonymization
Another interesting solution for GDPR compliance is the use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data subject without the use of additional information”. Pseudonymization with pointers to personal data stored off-chain in a manner which allows the personal data to be destroyed and thus removes the link to the data on the chain and renders it anonymized may allow a user to remove all of his/her personal information from the chain, as required by the GDPR’s right to be forgotten.
Again, just like off-chain storage, the problem lies in whether hashes fall under the definition of personally identifiable information.
Considering the points of conflict, PlannerScape’s blockchain use-cases and available technical solutions, the answer to PlannerScape’s GDPR compliance is “yes”. PlannerScape’s blockchain can comply with GDPR legislation, though more work needs to be done by legislators to interpret the legislation in more user cases and by PlannerScape to cater to those scenarios.