Blockchain And EU Privacy Laws: A Three-Step Guide To Compliance
What are managers to do when one of the most progressive privacy laws runs smack into one of the most promising technologies? How do you manage seemingly conflicting opportunities when it can be argued that both are equally important to your organization’s success?
I am referring to the European Union’s recently enacted “right to be forgotten” law, officially known as General Data Protection Regulation (GDPR), and Blockchain technology, unofficially hailed as a critical advancement in securing digital operations thanks to its democratic distribution of data and its generally immutable nature.
As with many exciting new technologies, the hype surrounding Blockchain has been extreme and prompted a tidal wave of corporate experimentation that has proven one thing: Blockchain is not a good fit for all applications, but for some, it is an exceptional fit. It is our belief at the Digital Supply Chain Institute (DSCI) that many supply chain operations belong in the exceptional category. To assist in determining high-potential Blockchain applications, DSCI has developed a portfolio of tools including the Blockchain Fitness Index (BFI) and the Blockchain Return Index (BRI).
Many commentators have concluded that GDPR and Blockchain technology are fundamentally incompatible, the digital equivalent of oil and water. At the request of our member companies, DSCI worked with two leading international law firms to understand the new privacy law as it applies to this nascent technology.
Our conclusion is that GDPR and Blockchain can happily coexist and provide a framework for addressing GDPR compliance in a Blockchain network. We do not believe that Blockchain technology and data protection and privacy are inherently contradictory. Quite the opposite. A Blockchain solution that respects the fundamental principles of data protection and privacy is possible if the following three guiding principles are followed.
Keep it private
While the most common vision of Blockchain is of a fully public network where anyone can join, there are many private networks that are private and require permission to join. Because anyone can join a public Blockchain, it is impossible to ensure participants agree to necessary rules around the protection of personal data. As a result, starting with a private network is the first step on the path toward a GDPR-compliant Blockchain solution.
Don’t get personal
The most obvious way to avoid GDPR compliance issues is to use a Blockchain approach that does not handle any personal information. While keeping completely free of personal data likely will be very difficult, it is not impossible. Encryption and middleware software provide potential solutions.
Set the rules up front
A GDPR-compliant Blockchain solution has a lot of requirements to satisfy. That means rules—for everybody. A GDPR-compliant commercial Blockchain solution will require a governance framework that is contractually binding on all participants and clearly sets out each party’s rights and responsibilities.
In our view, a GDPR-compliant Blockchain solution can exist where that solution involves a defined group of participants, all of whom agree to a common contractual governance framework. However, this will require steps to be taken by regulatory authorities and technology providers, such that the outstanding privacy challenges posed by Blockchain (but not fully addressed by legislation or regulatory guidance) can be solved.
We call on regulatory authorities to take the steps necessary to address the outstanding privacy challenges posed by Blockchain technology and deletion of personal data. Innovative solutions to data protection challenges will only succeed with the understanding and support of regulators and lawmakers.
There is a risk that, if steps are not taken by regulators and lawmakers to bridge the gap between data protection law and Blockchain technology, we will witness a slowing in (or even end to) advancements in the area of Blockchain solutions. Such an outcome would ultimately be detrimental to technological developments that may have the capacity to deliver substantial benefits to the world as a whole.