Can blockchain help with GDPR compliance?
WITH great power comes great responsibility.
The ability to collect data is one such power that businesses will agree comes with quite a bit of responsibility. Especially after the General Data Protection Regulation (GDPR) came into force earlier this year.
Mandated by the European Parliament and Council, the GDPR grants individuals based in the EU the right to either withhold or permit companies to access to their data.
For businesses that do collect personal data, the GDPR requires them to adapt to many intricate requirements and will introduce fines for non-compliance.
Despite the nature of the regulation, companies outside the confines of the European Union will also be affected if they have customers or operations in that area.
Though the GDPR was created prior to the rise of blockchain, it has come into effect at a time when blockchain is being widely embraced and implemented for security purposes.
Because of that, there are aspects of the GDPR regulations that are incompatible with the nature of the blockchain. In an exclusive interview with Tech Wire Asia, Christian Hsieh, CEO, Tokenomy highlighted these incompatibilities.
For starters, a blockchain is a massive public digital collection of data, broken down into transactions known as blocks. Transparency is a key feature of blockchain technology, as the entire chain is accessible to the public (with the exception of permissioned blockchains).
This means that no person or entity can own, control or edit the blockchain, ensuring its legitimacy, and transactions cannot be erased from the chain, making it immutable.
“The paradox lies in GDPR’s “right to be forgotten” rule – which allows people the option of removing or correcting their personal data from a decentralised database – the withdrawal of data from the blockchain would theoretically become possible, but in practice will be impossible to implement due to the immutability of the blockchain and the fact that no regulation can effectively regulate a public blockchain,” highlighted Hsieh.
Due to this paradox, if blockchains are to help businesses comply with the GDPR, it needs the regulation to become flexible enough so that it can evolve and incorporate technological advances into its structure.
Take for instance, the mandatory Know Your Customer (KYC) procedures, which require individuals to provide institutions, such as banks, to provide personal data for identity verification and anti-money laundering purposes.
Prior to the GDPR, a person would have to hand over this sensitive personal info multiple times in person.
But if GDPR’s new regulations provided flexibility for blockchain to be implemented, a person could provide it once, and then consent for the proof of the information – not the information itself – to be shared digitally.
If GDPR were to be expanded to include provisions that allow blockchain integration, the advent of a KYC blockchain would make this process both incredibly secure and quick, alleviating customer frustrations and benefitting the institutions.
Furthermore, this “right to be forgotten” only comes into play when users actively choose to withdraw their information – if they do not exercise this option, then their personal information is still used by companies in the same ways as it’s always been.
But with blockchain automatically in place – without repercussions from GDPR strictures – all users’ information is automatically more secure.
Though the cryptocurrency industry should poise itself for a series of changes in the coming months, so, too, should the lawmakers of the EU.
“If they truly want to create a secure marketplace online that respects people’s personal data, then blockchain should be embraced, not penalized”
“It is imperative for industry players and stakeholders to play an active role in helping shape regulations so that it is sustainable for all stakeholders,” concluded Hsieh.