Blockchain, 'WHOIS' Services Break Key Requirements of GDPR
As the tech world adjusts to the General Data Protection Regulation passed by the European Union that went into effect May 25, several services are now threatened, including the public blockchain that tracks crypto-currency transactions and the internet’s “WHOIS” domain name identification function.
Using blockchain, which is basically a digital ledger, to store personal information breaks some key requirements of the GDPR. For example, personal information must be processed lawfully, fairly and in a transparent manner. And anyone can request their data be deleted. However, with blockchain, there’s no transparency because everything is encrypted and blockchain data can never be deleted. Furthermore, the distributed ledger in a public blockchain has no Data Protection Officer, as mandated by the regulations.
The other technology now threatened is the “WHOIS” internet function that allows anyone to type in “WHOIS” in the website address to obtain the name of the owner and relevant contact information of any internet domain name. This allows you to see who’s behind any given site on the net, which is invaluable for fighting fraud and cyber-crime on the internet.
If you’re trying to comply with the GDPR, here are some tips to keep in mind:
- Don’t use blockchain to store personally identifiable information. Instead, only store references to another place where the information is kept. That way, if you remove the object of the reference, it becomes meaningless.
- Remember that information in a blockchain cannot be deleted or changed and encryption is not enough to comply with the GDPR.
- The GDPR requirement that data be minimized is also a problem with blockchain, since by design data is replicated as part of the distributed ledger.
- If you’re using blockchain, you need to find some way to resolve the Data Protection Officer requirements.
All this does not mean that you can’t use a blockchain and its distributed ledger as way to help secure your data. You’ll just need to be very careful about determining where the blockchain and personal data intersect and eliminate those connections.
Ultimately, the key is personal information. If you know it exists somewhere in your data system, get rid of it unless you specifically know it’s protected according to the GDPR requirements.