#IRMS18 Can Blockchain be Compliant with GDPR?
She called the relationship between the regulation and distributed ledger “critical” as data protection officers need to understand its impact, how it sits with data subject rights and the Right to be Forgotten.
“Critical is the implementation of privacy by default and design with the technology,” she said. “When presented with a technology like Blockchain, what does a DPO do? Well you conduct your data protection impact assessment over the technology.”
She agreed that it is “very robust and secure and unlikely to be encountering challenges” regarding loss of personal data, but how does it sit with data retention?
From a regulatory perspective, Heward-Mills acknowledged that there is no central regulation required, but is it desired? In terms of how GDPR applies to Blockchain, she asked the audience if encrypted data and metadata is still considered to be personal information?
“Where there are decentralized systems, how does the legislation actually apply? Is it still fit for purpose?”
Looking at the key principles, she rated Blockchain against the principles of Article Five of the GDPR:
These were as follows:
“Processed lawfully, fairly and in transparent manner” – Not transparent due to encryption
“Collected for specified, explicit and legitimate purpose” – Arguably legitimate – for authentication purposes
“Adequate, relevant and limited to what is necessary” – Not necessary, ledger exists forever
“Accurate and where necessary, kept up to date” – May not be accurate, and no way to delete it
“Identification for no longer than necessary” – Not necessary, ledger exists forever
“Processed in a manner that ensures its security” – Secure, due to encryption
Heward-Mills said that with the GDPR, privacy by design was one of central pillars but with Blockchain, it is decentralized, everyone has a ledger and how is it possible to regulate in a decentralized way of operating?
She acknowledged that there is an “opportunity to shape the approach of supervisory authorities in this context” as the regulators were still figuring out how to work with such technology.
Following on with the role of the DPO in this, she said there will be a critical role in shaping how the regulators respond to this emerging technology, but what we can offer “is the voice of corporate reality and challenges that are presented in using this technology.”
She said: “This is a really exciting time. Given that the regulator wants to receive perspectives from practitioners, I think we have a real opportunity to shape the future of this technology.”
Concluding, Heward-Mills said that there is some uncertainty on how it is evolving and how it is being regulated, but it is growing in importance and there will be more discussion on how it is applied.
“It is not always anonymous and it is possible through different data sets to decode on use and individuals behind the ledger and either we need to find some exemption in terms of how Blockchain is perceived, and its application under data protection laws, but the law needs to be updated as there are certain principles that are so incompatible fundamentally.”
Source: Information Security Magazine