Put Personal Data into Blockchain: Practical Recommendations
After blockchain technology has emerged, it soon became apparent that it would go far beyond the e-currency Bitcoin. The ability to increase confidentiality in data processing and ensure integrity and accountability of information in real time may help to solve critical issues in a variety of areas, from supply chain control to securing voting systems.
For instance, blockchain technology may be useful for establishing identity and having an immutable proof of facts, such as transactions. In this process, primarily meant to enable trust, it is almost impossible to avoid using personal data. And to ensure privacy is protected, it must comply with data protection laws, such as the European General Data Protection Regulation (GDPR) in the EU.
Privacy Compliance can be a long road, and it is vital to understand what to start with. Jointly withTechGDPR, a group of experts in technical compliance with GDPR, we give an overview of some controversial issues of the blockchain and GDPR intersection and provide practical recommendations on how to cope with them.
The article covers the following topics:
Blockchain Participants that are Subject to the GDPR
First things first – let’s determine the blockchain users that can be subject to the GDPR.
According to the definitions given in the regulation, there are mainly two responsible roles when dealing with personal data , controller and processor.
The controller is the one who decides on how and why to collect personal data. This entity is in charge of the data collected from individuals and recorded into a system. In the case of blockchain, the most notable examples are:
- Organizations, which use blockchain to control daily operations. The example will be the owner of blockchain-based registry with personal details or digital identities of the individuals. The operator of such a registry will be the controller of personal data;
- Cryptocurrencies wallet providers. The information in control of the provider, namely the public and private keys of the wallet users, is personal data. The provider determines purposes and means for processing. Thus, he will be the controller regarding these data;
- Smart contract providers and parties to smart contracts. Depending on the role in the scope, meaning, and purposes of using smart contracts, the provider can either be a data controller or processor. If the provider develops unique solutions for using personal data for in the smart contract, it can be a joint data controller, together with the parties to the contract. The main factor will be a level of control, which the provider will have over personal data; and
- Other application/platform providers, which offer services of recording rights, identity or data into blockchain. Providers, who offer a timestamping of the proprietary rights or offer the digital identity services based on blockchain, must comply with the controller’s obligations.
There is also a supplementary role in using personal data – a data processor. The processor does operations on the personal data, such as structuring, storage, and recording, on behalf of the controller and based on his instructions on how to do so.
The processor is sort of a contractor for the controller, whose role is to facilitate the recording of personal data into blockchain. While the controller’s responsibility is to take a primary responsibility before individuals, the processor must ensure the information’s security and accordance with written instructions of the controller.
One of the controversial examples of blockchain data processors is Miners and Nodes. They have the protocol on how to process the data, form and validate blocks, and they considerably do these operations on behalf of the blockchain users. They do not choose the means or purposes for data processing. According to the definitions given in the GDPR, they should be qualified as data processors.
However, it is difficult to determine if there are clearly written instructions between Miners/Nodes (processors) and blockchain users (controllers).
According to the GDPR, controllers must conclude the Data Processing Agreement with each processor. In the permissionless environment, it is next to impossible to have the DPA with all Nodes and Miners. Therefore, the careful approach is necessary to define the role of Miners and Nodes in each particular case.
Consider if Blockchain is the Best Option
One of the most important principles of data protection is the purpose limitation. According to it, a controller can collect and put personal data into blockchain only if it is necessary for purposes, whether authentication, supply control or marketing. Moreover, the controller must complete its purposes in the easiest and most reliable way.
Recording personal data into blockchain may be not the easiest one.
Examine if blockchain is the best solution to your problem. Blockchain indeed complements data protection by the following features:
- Integrity, security, and confidentiality. If using blockchain properly, it can provide a good level of data security with the help of up-to-date hashing, encryption, and digital signatures techniques. It ensures the confidentiality between the data relationship parties and prevents from unlawful access to it;
- Accountability. One of the most notable features of the blockchain databases is accountability in real time. All data operations are recorded on the chain, which creates transparency of the company’s practices. Thus, blockchain can facilitate processing transparency and accountability before the supervisory authorities or concerned individuals;
- Individuals' control over their data. The main objective of implementing the GDPR was to give back to individuals the control over their personal information. The developments like self-sovereign identity, which are fuelled by the blockchain implementation, gives individuals the opportunity to control and manage their personal data without unnecessary intermediaries.
Does blockchain fulfill one of these purposes? If the answer is 'yes', great, it may be reasonable to use blockchain in connection with personal data. Otherwise, it would be reasonable to use another technology, which solves the problem better.
Implement 'Privacy by Design' Principle
The company decided to record personal data using blockchain. What is next? Encode a ‘privacy’ feature in the blockchain.
The core of data protection is the 'privacy by design' principle. According to it, organizations must literally embed privacy, confidentiality, and security in their services or products. The implementation of this concept may consist of the following parts:
1. Data Minimization. Data protection requirements allow processing only of those data that are adequate, relevant and limited to the purposes. Sometimes, it may be reasonable not to collect data at all.
Rather, the blockchain data can serve as proof of the integrity and truthfulness of data by using hashing and encryption techniques. Meanwhile, personal data is being stored outside the blockchain, in a secure and protected way. Storing all individual’s information in the blockchain is not a good idea;
2. Technical and organizational measures. Although blockchain technology presumes the use of the cryptography techniques, it only secures data against mutability, not against unwanted access, for example. Additional technical and organizational measures will be needed.
To achieve the necessary protection, consider storing data in an encrypted or pseudonymized way, separately from the identifiers. This will prevent the data from the data breach, although not excluded from the scope of the GDPR. In such a case, other requirements of the GDPR must also be met.
From the human perspective, limit access to data by the employees directly involved in the data processing, and close for other persons.
3. Limited period of storage. Blockchain allows storing data with no time limits, thanks to the decentralization of the database. This is not a good option for personal data, however.
The organization cannot process personal data longer than necessary for collection purposes (e.g., identification of website users) and/or legal obligations of the controller (e.g., financial compliance). After it, the data should be completely deleted from the controller's possession. Storing personal details separately from blockchain data, as discussed before, can help to achieve this task;
4. Exercising data subject rights. Generally, use of blockchain makes it almost impossible to delete or change the recorded data. This feature contradicts with important data rights, namely the right to be forgotten and right to keep data accurate.
Again, it is easier to complete the data subjects' requests if storing data outside the blockchain. Then, in combination with destroying private keys to access the data, it will be the closest solution to accomplish the deletion obligation.
Anyway, the controller must be ready to provide individuals with access to their information, option to send data to a third party, and delete, change or stop the processing of the data upon the request;
, 15. Data protection impact assessment. As proved by the previous paragraphs, putting personal data into blockchain is not an easy task. It can cause the risks of the data breach and become an obstacle to exercise the individual’s rights.
The presence of such risks triggers another obligation to fulfil - conducting the data protection impact assessment (DPIA). The essence of the obligation is to weigh all risks regarding personal information and find an appropriate solution to them.
The controller must take this action for every operation causing the risks to concerned persons or non-compliance with the GDPR. In particular, the DPIA is required when new technologies (such as blockchain) can cause risks to the rights and freedoms of individuals – such as the issues with right to rectification or erasure of the information;
6. Specific policy on the use of the blockchain for personal data. Last but not least - a legal backend of the data protection. The GDPR requires to develop and implement data protection policies regulating the processing operations conducted by the organization.
To address this issue, it will be reasonable to develop a separate internal 'Data protection in blockchain' policy, which aims to detail and specify the respective obligations on the corporate level. This document must reflect the solutions found for the compliant use of blockchain and eliminate the uncertainty on the data protection obligations in the decentralized environment.
Responsible Use of Technology
Is using blockchain compatible with the GDPR? Yes, if used wisely.
It indeed can help design a more user-friendly and secure system for privacy governance. The ‘pros’ of using blockchain for personal data are increased control over the information, transparency, and accountability of the organization.
At the same time, blockchain technology is complex. Its inappropriate use can cause public exposure of users’ information and unwilling legal consequences, like a penalty or ban on using personal data in business activities. In particular, recording of private information on a big scale without an option to erase may become a bad implementation of a decent idea.
Thus, the best way to use blockchain for storing personal data is to weigh the risks and choose an accurate case-by-case implementation. TechGDPR and Legal Nodes will be delighted to assist companies in all technical and legal complexities of the GDPR requirements.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Vlad Nekrutenko, Privacy Lawyer at Legal Nodes
Silvan Jongerius, Managing Partner at TechGDPR, CIPP/e
Need a lawyer in this area?
3 years in data protection