Two of the hottest topics in records management are the General Data and Protection Regulation (GDPR), affecting the handling of European residents’ personally identifiable information (PII), and blockchain technology. While blockchain is deployed in many business processes, its role as an overarching, enterprise IG solution needs further exploration. Firms implementing blockchain point solutions while handling regulation-affected information need to understand a few implications of merging the two.
As attorney Amy Grant puts it, the General Data and Protection Regulation requirements suggest that data must be “centralized, restricted and removable,” whereas blockchain is “decentralized, distributed and immutable.” Grant cites “control and data removal” as the biggest roadblocks to combining them: not a promising baseline for records and information managers. Existing blockchain projects that already contain EU data subject PII will need to reconcile these variants fast.
PII protection has traditionally relied upon centralized gatekeepers. There is a question of how the EU and responsible parties would enforce or pursue GDPR issues among distributed global blockchain nodes (each represented by the regulation’s data processor role). The GDPR data controller role will face stiff challenges on this sketchy landscape. Who would verify the compliance of many distributed nodes, and how? How will data compromise be addressed? This is clearly not within the calculus of intended GDPR design.
One potential solution to the centralized-decentralized challenge, referenced by a few industry experts, suggests that personal data might be stored off of the blockchain (“off-chain”), with non-sensitive, referring metadata and contracts exposed on the blockchain ledger as an audit trail. The personal data, in this instance, stays under one-party control and it can be edited or deleted. However, questions remain about the security controls of the off-chain instance and exactly how it will be managed in tandem with the blockchain referring data.
Blockchain’s content immutability is also not well suited for EU citizens’ “right to be forgotten,” and their ability to revise or delete their PII. As blockchain consultant Andries Van Humbeeck has noted, blockchain doesn’t fulfill the “U” and “D” in the traditional Create-Read-Update-Delete (CRUD) records storage model.
A potential solution to the immutability issue involves the destruction of the cryptographic key, to prevent access to the personal data. But this is not the same as destroying the PII itself, and there is much discussion and murkiness around the interpretation of “erasure” with respect to the regulation, subject data and this approach.
Regulation-affected firms who involve data subjects’ PII with blockchain instances will need to proceed very carefully, be proactively informed, compensate for weak spots, and prepare to navigate the confrontation between blockchain technology and the high stakes GDPR environment.