The Blockchain and the GDPR
If the blockchain is still unknown for some, companies when to them, seem to want to subscribe to it more and more … Through his numerous assets, this one is nevertheless in conflict with certain fundamental set up by the GDPR.
The blockchain, so many people talk about it, but it is still a foreign notion for some. But if that’s your case, do not worry, it should change quickly! Indeed, if the blockchain is today’s reality only for some, it is undoubtedly everyone’s reality for tomorrow.
However, if more and more companies want to take part of it, the GDPR sometimes seems to be in distortion with some of blockchain operations. What then are the blockchain practices which remain into question by the standards imposed by the GDPR ?
Understand the blockchain
A blockchain definition is given by French law in the Monetary and Financial Code. According to its article L 223-12, it is a “shared electronic recording device enabling the authentication of these operations, in particular under security conditions, defined by decree in the Council of State”.
Well, such an information… This legal definition given, let’s try to understand a little more about what it really is.
On what is based the blockchain ?
Decentralization. The basic idea of the blockchain is that the information is not stored on a single central server. It is based on a set of participants who support it and not on a single person who manages the entire system.
What’s the blockchain for?
- If at first the blockchain was used for cryptomoney (especially Bitcoin), it is now possible to do more than just assets transfer.
- It guarantees a better transparency thanks to a reinforced traceability of the products/assets. Thus, in a production line for example, it will be easier for the consumer to know the whole manufacturing process and thus to make informed consumption choices (which is far from being the case today…)
- Finally, it allows the execution of smart contract. These contracts thanks to the blockchain system will be executed in an autonomous and automated way. How? Through a program which captures when the necessary conditions to trigger the implementation of the contract are met.
Why is it right?
For transparency. Once information is created in the blockchain, it can be consulted at any time and by anyone (depending on the type of blockchain, but let’s stay on the basic diagram). The blockchain contains a history of all exchanges between its users since its creation.
Moreover, the data are immutable. Once registered they cannot (in principle and for now) be modified.
For autonomy / trust. Those who act in the blockchain are real actors of the actions they put in place. The blockchain eliminate the intermediaries. Thus, for banking transactions for example, Paul can give Jacques 100€ without asking Marie (banker).
Nota bene : what is transmitted by the blockchain is called digital assets.
The GDPR, a problem….
The general obligation of limited data retention
Through its fundamental principles the GDPR imposes, to keep only the necessary data to carry out the mission. This requires a clear and stated justification of why the data should be retained. In other words, if the data has no reason to exist, it must be absolutely deleted.
The controller and the processor
The blockchain is based as seen above on a decentralized and autonomous system. In other words, nobody controls the hole system, nobody is at the head of this system. Does this mean that all actors are responsible? At the very least, everyone is responsible for the actions they take…
What about the obligation made by the GDPR to designate a controller? Who takes responsibility in the event of a shared data breach? If there’s a rift, who do we turn against? Nobody? All the identifiable actors (but who will really have the heart to do so)?
The right to deletion / rectification
The GDPR was keen to restore a real power to individuals over their data. To do so, they must be able – at any time and without difficulty – to request the deletion of their data that are held by a company.
Conversely, the blockchain is based on an essential element: the irreturnability. Once stored, files can no longer be modified, deleted…
The CNIL is currently studying these questions which arise from the implementation of the blockchain. In the coming months, it will not fail to position itself on the various issues that this raises.
There may not be a clear answer at this time regarding the articulation of the GDPR and the blockchain. In the meantime, however, companies still need to secure the data they process and that they can transfer as part of the blockchain.
We can help you secure your data. With HTTPCS Security, you can effectively detect security breaches on your website to ensure that your data is secure in compliance with the GDPR and prevent hacking situations.