poster
Privacy (GDPR)

Put Personal Data into Blockchain: Practical Recommendations

After blockchain technology has emerged, it soon became apparent that it would go far beyond the e-currency Bitcoin. The ability to increase confidentiality in data processing and ensure integrity and accountability of information in real time may help to solve critical issues in a variety of areas, from supply chain control to securing voting systems.

For instance, blockchain technology may be useful for establishing identity and having an immutable proof of facts, such as transactions. In this process, primarily meant to enable trust, it is almost impossible to avoid using personal data. And to ensure privacy is protected, it must comply with data protection laws, such as the European General Data Protection Regulation (GDPR) in the EU.

Privacy Compliance can be a long road, and it is vital to understand what to start with. Jointly withTechGDPR, a group of experts in technical compliance with GDPR, we give an overview of some controversial issues of the blockchain and GDPR intersection and provide practical recommendations on how to cope with them.

The article covers the following topics:

- Who should be aware of the GDPR while using blockchain;

- Advantages of blockchain in privacy protection; and

- Tips for implementing ‘Privacy by design’ principle in blockchain.

Blockchain Participants that are Subject to the GDPR

First things first – let’s determine the blockchain users that can be subject to the GDPR.

According to the definitions given in the regulation, there are mainly two responsible roles when dealing with personal data , controller and processor.

The controller is the one who decides on how and why to collect personal data. This entity is in charge of the data collected from individuals and recorded into a system. In the case of blockchain, the most notable examples are:

  • - Organizations, which use blockchain to control daily operations. The example will be the owner of blockchain-based registry with personal details or digital identities of the individuals. The operator of such a registry will be the controller of personal data;

  • - Cryptocurrencies wallet providers. The information in control of the provider, namely the public and private keys of the wallet users, is personal data. The provider determines purposes and means for processing. Thus, he will be the controller regarding these data;

  • - Smart contract providers and parties to smart contracts. Depending on the role in the scope, meaning, and purposes of using smart contracts, the provider can either be a data controller or processor. If the provider develops unique solutions for using personal data for in the smart contract, it can be a joint data controller, together with the parties to the contract. The main factor will be a level of control, which the provider will have over personal data; and

  • - Other application/platform providers, which offer services of recording rights, identity or data into blockchain. Providers, who offer a timestamping of the proprietary rights or offer the digital identity services based on blockchain, must comply with the controller’s obligations.

There is also a supplementary role in using personal data – a data processor. The processor does operations on the personal data, such as structuring, storage, and recording, on behalf of the controller and based on his instructions on how to do so.

The processor is sort of a contractor for the controller, whose role is to facilitate the recording of personal data into blockchain. While the controller’s responsibility is to take a primary responsibility before individuals, the processor must ensure the information’s security and accordance with written instructions of the controller.

mD_QoAUa6_Hs8ovfNWc4iJ3-XCoqjEhZZEYP9rjIAdvZdPXIV6myHQt3FxnamaMdFsCGGL21gdqjTGzQC3LiS5j0ZcjQCkTUvdPr3Z6BB0YFLeRpGm90rXuzd55gumq5MheXy17c

One of the controversial examples of blockchain data processors is Miners and Nodes. They have the protocol on how to process the data, form and validate blocks, and they considerably do these operations on behalf of the blockchain users. They do not choose the means or purposes for data processing. According to the definitions given in the GDPR, they should be qualified as data processors.

However, it is difficult to determine if there are clearly written instructions between Miners/Nodes (processors) and blockchain users (controllers).

According to the GDPR, controllers must conclude the Data Processing Agreement with each processor. In the permissionless environment, it is next to impossible to have the DPA with all Nodes and Miners. Therefore, the careful approach is necessary to define the role of Miners and Nodes in each particular case.

Consider if Blockchain is the Best Option

One of the most important principles of data protection is the purpose limitation. According to it, a controller can collect and put personal data into blockchain only if it is necessary for purposes, whether authentication, supply control or marketing. Moreover, the controller must complete its purposes in the easiest and most reliable way.

Recording personal data into blockchain may be not the easiest one.

Examine if blockchain is the best solution to your problem. Blockchain indeed complements data protection by the following features:

  • - Integrity, security, and confidentiality. If using blockchain properly, it can provide a good level of data security with the help of up-to-date hashing, encryption, and digital signatures techniques. It ensures the confidentiality between the data relationship parties and prevents from unlawful access to it;

  • - Accountability. One of the most notable features of the blockchain databases is accountability in real time. All data operations are recorded on the chain, which creates transparency of the company’s practices. Thus, blockchain can facilitate processing transparency and accountability before the supervisory authorities or concerned individuals;

  • - Individuals' control over their data. The main objective of implementing the GDPR was to give back to individuals the control over their personal information. The developments like self-sovereign identity, which are fuelled by the blockchain implementation, gives individuals the opportunity to control and manage their personal data without unnecessary intermediaries.

2M4QlaCFXFj3AMid8AnDlD6SYZMxTA0yei213QkI26bavHYsyJNJfJvo0sMQWPjnUMcxowoETf0HBwf3NpbCU3WHdAi7Z2hdquXCkZIe8-w8p2xkeHOxsSN8Dtgj4fPXW29cib5A

Does blockchain fulfill one of these purposes? If the answer is 'yes', great, it may be reasonable to use blockchain in connection with personal data. Otherwise, it would be reasonable to use another technology, which solves the problem better.

Implement 'Privacy by Design' Principle

The company decided to record personal data using blockchain. What is next? Encode a ‘privacy’ feature in the blockchain.

The core of data protection is the 'privacy by design' principle. According to it, organizations must literally embed privacy, confidentiality, and security in their services or products. The implementation of this concept may consist of the following parts:

1. Data Minimization. Data protection requirements allow processing only of those data that are adequate, relevant and limited to the purposes. Sometimes, it may be reasonable not to collect data at all.

Rather, the blockchain data can serve as proof of the integrity and truthfulness of data by using hashing and encryption techniques. Meanwhile, personal data is being stored outside the blockchain, in a secure and protected way. Storing all individual’s information in the blockchain is not a good idea;

2. Technical and organizational measures. Although blockchain technology presumes the use of the cryptography techniques, it only secures data against mutability, not against unwanted access, for example. Additional technical and organizational measures will be needed.

To achieve the necessary protection, consider storing data in an encrypted or pseudonymized way, separately from the identifiers. This will prevent the data from the data breach, although not excluded from the scope of the GDPR. In such a case, other requirements of the GDPR must also be met.

l-9RtsSJojDYL5Qaq9sj-wKyRP3p1o0mU9zHaml8v9iEmhTxa5dYhcSEf22z41a9AWTZX2DFT5HucMXC9B2D8lSIApY03S3Vr-f_uWCt6Vz0VT12hQyNlOJ8zJqniCDbpqo_7tLd

From the human perspective, limit access to data by the employees directly involved in the data processing, and close for other persons.

3. Limited period of storage. Blockchain allows storing data with no time limits, thanks to the decentralization of the database. This is not a good option for personal data, however.

The organization cannot process personal data longer than necessary for collection purposes (e.g., identification of website users) and/or legal obligations of the controller (e.g., financial compliance). After it, the data should be completely deleted from the controller's possession. Storing personal details separately from blockchain data, as discussed before, can help to achieve this task;

4. Exercising data subject rights. Generally, use of blockchain makes it almost impossible to delete or change the recorded data. This feature contradicts with important data rights, namely the right to be forgotten and right to keep data accurate.

Again, it is easier to complete the data subjects' requests if storing data outside the blockchain. Then, in combination with destroying private keys to access the data, it will be the closest solution to accomplish the deletion obligation.

Anyway, the controller must be ready to provide individuals with access to their information, option to send data to a third party, and delete, change or stop the processing of the data upon the request;

, 15. Data protection impact assessment. As proved by the previous paragraphs, putting personal data into blockchain is not an easy task. It can cause the risks of the data breach and become an obstacle to exercise the individual’s rights.

The presence of such risks triggers another obligation to fulfil - conducting the data protection impact assessment (DPIA). The essence of the obligation is to weigh all risks regarding personal information and find an appropriate solution to them.

The controller must take this action for every operation causing the risks to concerned persons or non-compliance with the GDPR. In particular, the DPIA is required when new technologies (such as blockchain) can cause risks to the rights and freedoms of individuals – such as the issues with right to rectification or erasure of the information;

6. Specific policy on the use of the blockchain for personal data. Last but not least - a legal backend of the data protection. The GDPR requires to develop and implement data protection policies regulating the processing operations conducted by the organization.

To address this issue, it will be reasonable to develop a separate internal 'Data protection in blockchain' policy, which aims to detail and specify the respective obligations on the corporate level. This document must reflect the solutions found for the compliant use of blockchain and eliminate the uncertainty on the data protection obligations in the decentralized environment.

Responsible Use of Technology

Is using blockchain compatible with the GDPR? Yes, if used wisely.

It indeed can help design a more user-friendly and secure system for privacy governance. The ‘pros’ of using blockchain for personal data are increased control over the information, transparency, and accountability of the organization.

At the same time, blockchain technology is complex. Its inappropriate use can cause public exposure of users’ information and unwilling legal consequences, like a penalty or ban on using personal data in business activities. In particular, recording of private information on a big scale without an option to erase may become a bad implementation of a decent idea.

Thus, the best way to use blockchain for storing personal data is to weigh the risks and choose an accurate case-by-case implementation. TechGDPR and Legal Nodes will be delighted to assist companies in all technical and legal complexities of the GDPR requirements.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad Nekrutenko, Privacy Lawyer at Legal Nodes

Silvan Jongerius, Managing Partner at TechGDPR, CIPP/e

Need a lawyer in this area?

avatarchecked

Vlad

Ukraine

3 years in data protection

Experience
Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...
choose
choose

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills