Data Protection

Blockchain and GDPR: can you have both?

“I think there will be GDPR 2,” says Gary Brown, Programme Director at Santander UK. He hits the nail on the head. Not everyone is convinced by the merits of blockchain, but let’s assume it does finally justify thehype. Is it compatible with GDPR?

Blockchain is meant to be immutable, GDPR makes it essential that data can be removed under certain circumstances — can the unmovable object that is blockchain be compatible with the flexibility required under GDPR?

The right to be forgotten — it is a rather important part of GDPR. So, for that matter, is the requirement to remove data once it is no longer required, or even essential to fulfil the function for which it was collected in the first place.

With blockchain, data can be added to a network, but not deleted. Under blockchain, data is stored on every computer (or node) that forms part of the blockchain’s network. This is the essence of blockchain. In this way, it is virtually impossible for hackers to change records, or for individuals to cheat. To delete data, somehow all computers in the network must be designed to simultaneously act together and remove data in tandem. That sounds like a tough challenge. 

There is another barrier. Under GDPR, data controllers are responsible for data processed by third parties, creating particular problems when data is stored on computers outside of a region that signed up to GDPR or has a privacy framework that is not compatible with GDPR. But under conventional blockchain, it is almost impossible to have any control over the location of computers that form the network.

There is a wider point: blockchain is closely linked to the concept of distributed ledger, meaning a record of ownership of an asset is stored across every computer or node that makes up the blockchain network. Such a concept seems to be in direct contradiction with GDPR, with its onus on privacy and central bodies having control.

Gary Brown echoes those doubts. He says: “One of the concerns is that blockchains are being built in a way that GDPR cannot control, and when GDPR was conceived, blockchain was not around, so it does not cover it. I think there will be GDPR 2.0 at some point to cover blockchain and other distributed services.” He adds: “GDPR is all about someone taking control of data – it’s all about accountability, blockchain hasno accountability, it is multi-distributive, by its very nature.”

Are there any potential solutions?

One possible solution would be a consensus algorithm, in which computers in a blockchain vote to delete, and it is then removed if a majority consent. But this still leaves a problem. Blockchain puts old data into blocks – removing some would disrupt the block itself.

Russell Marsh, Managing Director, Accenture Digital, told us that Accenture has patents that allow you to edit blockchain, “it leaves a scar to show where it has been edited.” But it is inherently difficult, he concedes. 

Another advantage of a private network is that the amount of energy required to run it would be significantly reduced – bitcoin and ethereum are notorious for the enormous amounts of electricity consumed in the mining process. On this point, Russell Marsh said: “It can be overcome because it will change over time from being a distributed ledger that is out in the world to trusted networks, so it could work a lot faster.” 

He gave as a possible example: Adobe, Salesforce and Oracle clubbing together, to be a trust network for doing blockchain for media, “so rather than having the whole world doing those calculations you just have those three organisations do it.” He reckons banks could do the same, “so you set up the servers within the banks and they do the encryptions, so no single one of them can confirm a change to the data on their own…which means it is faster, you can have security and transparency, but you can do things in milliseconds.”

The principle of a distributed ledger is especially popular with the libertarians, but a blockchain that uses a private network would lose that appeal, alienating the group of people who up to now have been its greatest advocates.

There is another potential problem. Russell Marsh fears that blockchain, theoretically giving us a network that cannot easily be hacked into, might lull us into a false sense of security, such that when, at a future date, new technology, such as quantum computing, could potentially hack into a blockchain, we would be unprepared. 

He said: “The idea of storing data on a block is an intellectually interesting idea because you could arguably control your data by having it on a blockchain. The problem is at what point does blockchain level encryption fall apart sometime in the future and reveal all the data sat on the blockchain.”

There is one other way GDPR and blockchain could work together. According to a report from the EU Blockchain Observatory and Forum, there is another solution to the compatibility of blockchain and GDPR. 

It said: “blockchain could, in theory, make it easier for platforms and applications to have compliance ‘baked in’ to the code, supporting data protection by design.”

GDPR promotes trust

You hear it often enough. Complying with GDPR enables organisations to build trust with customers. But it is good to hear the argument articulated by someone like Sir Rob Wainwright, a former Executive Director of Europol and now senior partner for Deloitte’s cyber practice in North-West Europe.

“When I joined Europol,” he said, “I came to an organisation that already had the principle of data protection embedded into its psyche and framework.

“I kind of baulked at that. I came from an intelligence framework in the UK, where I was familiar, of course, with data protection principles, but the data protection officer was always someone who was on the basement floor and you would call up for a short meeting. It was never uppermost in the minds of people running the law enforcement community.”

He said that “certain daily practices were quite robust in terms of limitations imposed on the data the organisation had collected, and what they could store it for, and what they could do with it.

“There seemed to be walls in the direction I wanted to go.

“I was very wedded to the idea that you had to follow the legal framework, so I did.

“My point: it took me less than two years before I came to realise that data protection, if managed in the right way, is a very effective enabler of the business and can support the data operations in a way that many people don’t understand.

“When I look at the impact of GDPR now, I think the smartest companies will have the opportunity to get GDPR right, not just by saying ‘Oh my god, how the hell am I going to deal with this’ – as something that has to be done to avoid a fine — but rather with a mindset that is saying, “Alright, how does this change the landscape, how does that change the data landscape, and change it to my advantage?

“What I saw at Europol and then went to preach – as I became a convert – is that its importance lies in the fact that you have clean data, operations, and clean data sets. So, the idea of running a data regime that is more secure should appeal to anyone. 

“At Europol, we didn’t have much junk in our system, as we weren’t allowed to collect data we didn’t need. We weren’t allowed to keep data for years past the usability date. But I am glad it was like that. I didn’t want junk data, so the dataset became cleaner, the mind and skillsets of analysts became sharper and more precise, as they knew they had to make the necessary judgments with all the data they ware handling rather than do it lazily, getting everything and anything.

“The data operations in Europol, which were absolutely fundamental to the success of the organisation, were greatly enhanced by the data protection regime that we had. 

“Also, it is hugely important for the credibility, reputation and public standing of an organisation, certainly a public organisation like ours, and one that was collecting a relatively large amount of data on EU citizens.

“Europol is the only organisation with a right to do that, it was rightly very much scrutinised with regards to personal data, from the European data protection supervisions, through to the European Parliament.

“It is certainly more scrutinised on this front than any other, and as it should be. As such we really had to be cleaner than clean, otherwise, any significant impairment to the public reputation of Europol would have been massively damaging to its ability to do its fundamental operations.

“So, the more robust the protection environment and framework we had, the better the reputation we had, and the more strength it gave me as a director, to stand before parliament, and to say ‘I am making these points about why this data needs to be collected, about why we need new legislation’, and did so from the point of view of being the most scrutinised agency in the world on data protection, so I spoke from a position of strength.”

“You can translate all these learning lessons and principles into a commercial environment.

“The flipside is also true if the implementation of GDPR goes wrong, the public reputation also begins to suffer, and that is the most important asset boardrooms want to protect.”