News Centre

Blockchain and GDPR – The Constant Dilemma

Blockchain and GDPR enthusiasts often come to a clash with each other on which one is to take precedence. While the former presents a revolutionary way for which governments and entrepreneurs can operate through an immutable ledger, the latter seeks to protect the individual’s privacy rights through various rights including the right to be forgotten. Thus, a debate arises on whether these two systems can operate harmoniously together from which the public can stand to prosper.

Since GDPR and Blockchain have different operations, this may present a headache for legislators on how to overcome the challenges which a harmonious application would present. While GDPR is based on CRUD operations (Create, Read, Update, Delete) therefore allowing its data subjects to delete or update the already inputted personal data, blockchains rely on CRAB operations (Create, Retrieve, Append, Burn), and thus data stored on the blockchain is immutable and can neither be deleted nor amended. An idea which is almost GDPR compliant is that in the case a deletion of data stored on a Blockchain is required, one should away the encryption keys, thereby burning the linking data as no one will have access to it even though it would still be there existing. This however is not equivalent to the deletion of data as stated in the GDPR. It would be an easier task to make the blockchain technology GDPR compliant if the regulation is to bend its rules a little thereby removing such irreconcilable differences while accommodating newer technologies.

An easy way to work around issues where GDPR and blockchain are not compliant is to store personal data off-chain and having only the reference to this data and its hash stored on the blockchain. In practice however, this can be a tedious and time-consuming task when compared to the old storing and retrieving blockchain method. However, this method is fully GDPR compliant as when the off-chain data is deleted, the reference and hash would lead to nowhere. A problem which is yet to be tackled is that blockchain technology has no geographical unit as it can be accessed anywhere worldwide, while on the other hand, GDPR only applies to those countries which have conformed to the regulation; therefore, it is confusing which blockchain has to be GDPR compliant or not.

The ideal combination would be having GDPR paired with Blockchain technology, thereby having technological advances secured within a legal framework which also protects rights of the individuals who are using such means. The problem with GDPR and Blockchain has emerged solely because when the GDPR regulations were being enacted, blockchain was not given any notice and thus, the regulation was not written to be in conformity with blockchain. However, given the increasing interest in blockchain, one can only predict that it is only a matter of time before the EU emerges with a solution on how to resolve this problem.