The Parity ICO Passport Service (PICOPS) has announced that it's last day of business will be May 24, 2018, which is the day before the European Union’s GDPR goes into effect. PICOPS is an authentication service for the Ethereum crypto-currency. It used blockchain technology to store personal information as a way to ensure that traders in Ethereum weren’t located in places where crypto-currencies are prohibited.
Unfortunately for PICOPS, using blockchain to store personal information breaks some key requirements of the GDPR. For example, Article 5 of the GDPR requires personal information to be processed lawfully, fairly and in a transparent manner, but with blockchain there’s no transparency because everything is encrypted.
There are other problems. The GDPR requires that anyone can request that their data be deleted in their right to be forgotten. But blockchain data cannot be deleted—ever. It also can’t be changed if the information is wrong, another requirement of the GDPR. But it gets worse.
The GDPR requires that personal data collected by an organization be the responsibility of the Data Protection Officer. But the distributed ledger in a public blockchain has no such person and no real provision for a DPO. There’s also no one in charge of processing individual data.
The GDPR also requires that any identification of personal data be deleted as soon as possible and that such personal data not be kept any longer than is required for the purpose for which it was originally collected. Again, the problem with deleting blockchain data is that you can’t delete it.
So does this spell doom for blockchain? Well, no. It just places limits on how it can be used in regards to personal data. You can, for example, use blockchain to store references to data stored elsewhere. If the time comes where you have to remove someone’s record, to allow them to be forgotten, then all you need to do is remove the referential information, so that all that remains is the index information without the actual data that it points to.
Looked at this way, some types of crypto-currency are safe. Their blockchain entries are simply the encrypted key to the Bitcoin or other currency and there’s no personal information involved.
The problem is that blockchain is expanding far beyond the original role as a crypto-currency ledger and has since morphed into an all-purpose ledger to record for any other type of information. The GDPR will probably eliminate that sort of blockchain application, but it would appear that crypto-currency is safe.
But that’s not the only technology that’s being threatened by the GDPR. There’s also the venerable “WHOIS” (pronounced who is) internet function that allows anyone to type in “WHOIS” and the website address to obtain the name of the owner and the relevant contact information of any internet domain name. ICANN requires that the WHOIS data be made available for every internet address.
This allows you to see who’s behind any given site on the net. As you might suspect, the WHOIS function is invaluable for fighting fraud and cyber-crime on the internet and law enforcement officials aren’t sure what to do about this. Currently there’s a request for clarification being presented to the European authorities.
The real problem, of course, isn’t blockchain and it’s not internet registrations. The problem lies in how a person’s information is used, how it’s made available and how GDPR requirements can be met without breaking everything else. To accomplish that, you need to know what the GDPR actually requires, which means spending some studying it or at least hiring a consultant who has. You can also take a look at some of the issues as presented by PwC in a useful guide.
While you’re pondering that, here are some ideas to keep in mind:
- Don’t use blockchain (or any other means that won’t fly with GDPR) to store personally identifiable information. Instead, if you want to use blockchain, then only store references to another place where the PII is kept. That way, if you remove the object of the reference, then it becomes meaningless.
- Remember that information in a blockchain cannot be deleted or changed. The fact that it’s encrypted is beside the point, since it appears that the right to be forgotten, means in all forms. Just deleting the encryption key may not be enough.
- The GDPR requirement that data be minimized is also a problem with blockchain, since by design data is replicated as part of the distributed ledger.
- If a blockchain is involved, you need to find some way to resolve the requirement for a DPO and the related requirements of who the data processors are and who the data controller is. In a corporate environment, this should be fairly straightforward. With a public blockchain it’s probably impossible.
This does not mean that you can’t use a blockchain and its distributed ledger as way to help secure your data. It does mean that you must be very careful about determining where the blockchain and personal data intersect and eliminate those places. In some case, it may mean being more innovative than you’ve been in the past.
For example, perhaps you don’t want to put a person’s name into the WHOIS entry in your internet registration, but rather the generic contact information of the IT office. This avoids any conflict with GDPR and it also makes things simpler when personnel changes happen.
Ultimately, the key is personal information. If you see it anywhere, get rid of it unless you specifically know it meets the requirements. Instead, you can console yourself by limiting your blockchain use to your private stash of Bitcoins.