Are blockchain and GDPR on a collision course? Are blockchain and GDPR on a collision course?

Are blockchain and GDPR on a collision course?
19 Jun 2018

When blockchain  was first integrated into the bitcoin cryptocurrency in 2008, the world of electronic payments changed for ever.

For payroll professionals, an opportunity suddenly presented itself to boost efficiency, particularly in regard to making international payments, which can be a long and laborious task. As such, blockchain was rightly hailed as a game-changer. By 2014, even The Bank of England, which is hardly known for its early adoption of new technologies, hailed the system’s integration with bitcoin as a “significant innovation” that could have “far-reaching implications”. 

One thing is sure though, since that time blockchain has gone from strength to strength. In May 2018, for instance, HSBC completed the world’s first commercially-viable trade-finance transaction using the technology. 

Its appeal, meanwhile, rests on its ability to help reduce the occurrence of business fraud, which is down to two main reasons.

Firstly, blockchain is a decentralised system, which means it runs across multiple servers at the same time, making it almost impossible to hack. Secondly, when information is saved to a particular node, it is replicated and protected on several others too. This means that if one node goes down, the others can take over to safeguard the data.

It is important to understand that blockchain, like everything else, is not completely secure. For example, recent transactions undertaken in South Korea were investigated for involving potentially suspicious money transfers of around US$600 million. 

But what blockchain does do is indelibly record each stage of a transaction – in essence, it never forgets. The technology identifies each unique user and enables them to store, view and share digital information safely. The records created can never be altered, which means that transparency and accountability are built into the system. This, in turn, helps to reduce fraudulent activity.

Possible GDPR problems

It is these unique attributes that could actually cause significant problems in relation to the European Union’s newly-implemented General Protection Data Regulation (GDPR) though. On paper at least, significant rights made available under the GDPR now sit in direct conflict with how blockchain operates.

These legal rights include the so-called ‘right to be forgotten’ and the ‘right to rectification’. Under the terms of this legislation, individuals have the right to request that their data be permanently deleted from a company’s records within 30 days - or that it be edited to reflect the truth in the case of rectification. As the right to rectification is more likely to affect media organisations than anyone else, the right to be forgotten principle is the most important one with which to get to grips.

For most companies that operate a centralised database system, undertaking a deletion request should theoretically be simple. All data that does not pertain to a given business need must be removed. While some of this data may be scattered across multiple servers (a common malpractice), finding and permanently deleting it should be relatively straightforward.

But in the case of blockchain, such a process is anything but simple. The technology’s whole premise is that it is decentralised and its records cannot be changed. This means if someone were to request the removal of their data from a chain, it would cause significant logistical problems.

Firstly, editing the chain would break it, thus eradicating the value of the ledger. Secondly, because data is saved across multiple nodes, deleting it in every location would prove challenging, especially in the case of publicly-operated blockchains.

A possible solution to the problem could be to modify how the blockchain is implemented. For example, centralising the back-end system would enable data to be anonymised without breaking any chains. But such a move would require a significant overhaul.

The devil in the detail

As ever though, the devil is in the detail. While it seems on the face of it that the GDPR and blockchain are heading on a collision course, other legal arguments should also be taken into consideration.

A key premise of the GDPR is based on the idea of data controllers (employers) and the requirement that they process data legally and fairly. But in this instance, blockchain is neither the controller nor the processor – it is simply an application.

Therefore, it is important to focus on who both controls and processes the data. Employers or payroll services providers that operate private blockchains control their implementation and use, which means that the responsibility for the data lies with them.

As a result, when undertaking data deletion requests, it comes down to whether an organisation is legally compelled to retain certain types of data or not - a question that sits at the heart of the GDPR. In the case of tax records, data must be held for a stipulated length of time laid down by the local tax authority. But it may be possible to delete other forms of data immediately.

In other words, what employers and payroll operators really need to focus on is how they use what data and why.

As the GDPR becomes more ingrained into business practice and employers become more adept at responding to requests, it will become clearer as to whether blockchain will challenge the legislation’s effectiveness. A number of iterations of the law may, in fact, become necessary both to accommodate new technologies, which include artificial intelligence, but also to close any loopholes that come to light.

In the meantime though, it makes sense to understand the legislation as thoroughly as possible and work out how it affects applications that are built on technologies such as blockchain. Although the system presents many opportunities in terms of making cross-border payments more secure, it is vital that firms working across multiple jurisdictions, get to grips with how the legislation will impact their data.

Phil Beckett  

Phil Beckett is a managing director at Alvarez and Marsal’s disputes and investigations practice in London. He has more than 15 years of experience in forensic technology engagements, advising clients on forensic investigations relating to digital evidence, the interrogation of complex data sets and the disclosure of electronic documents.

 

When blockchain  was first integrated into the bitcoin cryptocurrency in 2008, the world of electronic payments changed for ever.

For payroll professionals, an opportunity suddenly presented itself to boost efficiency, particularly in regard to making international payments, which can be a long and laborious task. As such, blockchain was rightly hailed as a game-changer. By 2014, even The Bank of England, which is hardly known for its early adoption of new technologies, hailed the system’s integration with bitcoin as a “significant innovation” that could have “far-reaching implications”. 

One thing is sure though, since that time blockchain has gone from strength to strength. In May 2018, for instance, HSBC completed the world’s first commercially-viable trade-finance transaction using the technology. 

Its appeal, meanwhile, rests on its ability to help reduce the occurrence of business fraud, which is down to two main reasons.

Firstly, blockchain is a decentralised system, which means it runs across multiple servers at the same time, making it almost impossible to hack. Secondly, when information is saved to a particular node, it is replicated and protected on several others too. This means that if one node goes down, the others can take over to safeguard the data.

It is important to understand that blockchain, like everything else, is not completely secure. For example, recent transactions undertaken in South Korea were investigated for involving potentially suspicious money transfers of around US$600 million. 

But what blockchain does do is indelibly record each stage of a transaction – in essence, it never forgets. The technology identifies each unique user and enables them to store, view and share digital information safely. The records created can never be altered, which means that transparency and accountability are built into the system. This, in turn, helps to reduce fraudulent activity.

Possible GDPR problems

It is these unique attributes that could actually cause significant problems in relation to the European Union’s newly-implemented General Protection Data Regulation (GDPR) though. On paper at least, significant rights made available under the GDPR now sit in direct conflict with how blockchain operates.

These legal rights include the so-called ‘right to be forgotten’ and the ‘right to rectification’. Under the terms of this legislation, individuals have the right to request that their data be permanently deleted from a company’s records within 30 days - or that it be edited to reflect the truth in the case of rectification. As the right to rectification is more likely to affect media organisations than anyone else, the right to be forgotten principle is the most important one with which to get to grips.

For most companies that operate a centralised database system, undertaking a deletion request should theoretically be simple. All data that does not pertain to a given business need must be removed. While some of this data may be scattered across multiple servers (a common malpractice), finding and permanently deleting it should be relatively straightforward.

But in the case of blockchain, such a process is anything but simple. The technology’s whole premise is that it is decentralised and its records cannot be changed. This means if someone were to request the removal of their data from a chain, it would cause significant logistical problems.

Firstly, editing the chain would break it, thus eradicating the value of the ledger. Secondly, because data is saved across multiple nodes, deleting it in every location would prove challenging, especially in the case of publicly-operated blockchains.

A possible solution to the problem could be to modify how the blockchain is implemented. For example, centralising the back-end system would enable data to be anonymised without breaking any chains. But such a move would require a significant overhaul.

The devil in the detail

As ever though, the devil is in the detail. While it seems on the face of it that the GDPR and blockchain are heading on a collision course, other legal arguments should also be taken into consideration.

A key premise of the GDPR is based on the idea of data controllers (employers) and the requirement that they process data legally and fairly. But in this instance, blockchain is neither the controller nor the processor – it is simply an application.

Therefore, it is important to focus on who both controls and processes the data. Employers or payroll services providers that operate private blockchains control their implementation and use, which means that the responsibility for the data lies with them.

As a result, when undertaking data deletion requests, it comes down to whether an organisation is legally compelled to retain certain types of data or not - a question that sits at the heart of the GDPR. In the case of tax records, data must be held for a stipulated length of time laid down by the local tax authority. But it may be possible to delete other forms of data immediately.

In other words, what employers and payroll operators really need to focus on is how they use what data and why.

As the GDPR becomes more ingrained into business practice and employers become more adept at responding to requests, it will become clearer as to whether blockchain will challenge the legislation’s effectiveness. A number of iterations of the law may, in fact, become necessary both to accommodate new technologies, which include artificial intelligence, but also to close any loopholes that come to light.

In the meantime though, it makes sense to understand the legislation as thoroughly as possible and work out how it affects applications that are built on technologies such as blockchain. Although the system presents many opportunities in terms of making cross-border payments more secure, it is vital that firms working across multiple jurisdictions, get to grips with how the legislation will impact their data.

Phil Beckett  

Phil Beckett is a managing director at Alvarez and Marsal’s disputes and investigations practice in London. He has more than 15 years of experience in forensic technology engagements, advising clients on forensic investigations relating to digital evidence, the interrogation of complex data sets and the disclosure of electronic documents.