With less than two weeks to go until the EU’s General Data Protection Regulation (GDPR) kicks in, industry participants are casting doubts whether blockchain technology can be used to store personal data and still be GDPR compliant. Saloni Sardana explains
GDPR kicks off on 25 May 2018. The law is set to give consumers more control over their data and will impact every client that is subject to data protection.
But research by Private Banker International shows the use of blockchain technology in wealth management may be in limbo after GDPR comes into effect.
This is because industry experts note a contradiction between the “right to forget” provision of GDPR and the immutability of blockchain technology.
The “right to forget” means any information relating to an identifiable person, who can be directly or indirectly identified, needs to be removed with immediate effect if an individual requests it.
If the company fails to act swiftly on the request, it can incur massive fines of up to 4% of annual turnover or up to €20m.
However, blockchain technology is said to be immutable. Once transactions are recorded on the distributed ledger they cannot be erased.
GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Vincent Rezzouk-Hammachi, head of data privacy services and technology solutions at UK accountancy firm, Mazars, says: “Blockchain technology by design is [only] partially GDPR compliant. Unfortunately there is no ‘zero risk’ for wealth managers [when it comes to using GDPR and blockchain] together.”
Several other experts agree. Andries Van Humbeeck, blockchain consultant at industry website, Ledger, comments: “As long as it isn’t clear whether encryption with an “unsolvable key” is sufficient to delete data, we should play on the safe side and just not store personal data on a blockchain.”
And he warns: “Personal identifiable information also includes data that can be indirectly used to ‘calculate’ or ‘derive’ personal information.”
Adrian Daniels, a partner at Israeli law firm Yigal Arnon, says: “GDPR seems incompatible with a decentralised autonomous organisation with no single body controlling the behaviour of the blockchain.”
But a spokesperson for the European Commission, the EU executive overseeing GDPR, comments: “Blockchain or any specific characteristic of blockchain technology is not per se incompatible with the GDPR.”
Permissioned and public blockchains
There are two main types of blockchain technologies: permissioned and public blockchains.
PBI understands in the case of permissioned blockchains when the blockchain is controlled by a given number of organisations, specific conditions can be put in place to comply with the right to be forgotten as appropriate.
Regarding public blockchains, where “reference data”, but not personal data is in a referenced encrypted and modifiable database as opposed to the blockchain itself, it can be deleted in line with data protection requirements without the need to touch the blockchain itself.
Daniels, comments: “The solution that tends to be most popular among aficionados of the blockchain is to create architecture (in more centralised ledgers at least) in which individual data is stored off-chain.
Daniels continues: “This would allow personal data to be referenced in a blockchain by means of a hash (an unreadable piece of data) but stored in a separate database off the chain, which could only be accessed with permission. In the event an individual wishes to review it or erase it, he or she could request access or deletion.
But he warns: “To some degree this undermines many of the advantages of the blockchain – centralisation of the information, increase in potential exposure to hacking. This solution could also be used to ensure “portability” of the data, another requirement under the GDPR.”
Hammachi agrees. “There could be an extreme route of removing personal data from the blockchain and then you would end up in a situation where you wouldn’t process personal data completely on the blockchain. You would be only using pseudonyms as reference to the personal data.”
He continues: “[Another solution would be to] modify the technology and to create an editable version of blockchain and then the data could be altered [by the data controller]. This would help to ensure that blockchain ensures the ‘right to be forgotten’ and the right to erasure can be fulfilled.”
Blockchain best practice
Humbeek comments: “When using a private blockchain solution. You should make sure that no PII should be stored on a blockchain in the first place. You can do this for example by defining standards (through smart contracts for example) that will validate -up to a certain degree- that no PII can be stored.”
Daniels says: “The right to request human intervention or to challenge an automated decision would appear to be anathema to the whole concept of smart contracts, where decisions are made based on pre-written code (e.g. funds released from a trust account once a product has been delivered).
“Even the very concept of the “controller” i.e. the entity upon which the responsibility to uphold the obligations of the GDPR seems incompatible with a decentralised autonomous organisation with no single body controlling the behaviour of the blockchain.”
But Tim Coates, managing consultant at Synechron, says: “Some instances, but for other use cases, such as KYC and those regarding identity, personal information is inherently part of this data and would struggle to be held off-chain, creating a particular challenge for those use cases.
”Where data can be shared geographically, this is less relevant for permissioned blockchains, which is what wealth managers and financial services use cases in general will be using and has more control and privacy.”
Dan Crow, principal at Zeb consulting, comments:“Ideal solutions would build the distributed ledger using only pseudonymised data with tightly defined processes to ensure limited access to key-code mapping and the ability on request to erase the mapping without damaging the integrity of the distributed ledger and subject to compliance with other regulations.”
Humbeek assesses the impact of storing personal data off-chain for permissioned blockchains with a case study in a piece of research from November 2017.
He says: “You store the personal data off-chain and store the reference to this data, along with a hash of this data and other metadata (like claims and permissions about this data), on the blockchain.”
The study highlights that company X can obtain the MyAddress value from company Y through the following steps:
- The blockchain can then verify the necessary access rights to read the data. If the requestor (company X) has the rights to read the data. If the requestor obtains proper authorisation, he receives the link and hash of the requested data.
- With the link, the requestor gets access directly from company Y’s back-end without having to access the blockchain again
- After receiving the data from company Y’s back-end company X can ensure that the data has not been tampered with by deriving the hash of the retrieved data, and comparing it with the hash given by the blockchain. If the data matches, this indicates the data has not been tampered with.
However, Humbeek notes the following disadvantages to the solution:
- Transparency of the blockchain is reduced. There is no way of ensuring who accessed the data and who has access to the data.
- The benefit of data ownership in the blockchain is reduced.
- Cyber security may be compromised. Storing personal data over different companies raises the chance of personal information being stolen.
A report published in 2017 by the European Data Protection stated: “It is essential that data protection experts begin to examine the concepts behind blockchain technology and how it is implemented in order to better understand how data protection principles can be applied to it. An integral part of this process should be the development of a privacy-friendly blockchain technology, based on the principles of privacy by design.”
The European Blockchain Observatory and Forum was launched in February 2018 to assess the legal issues, including compliance with the GDPR that need to be addressed in order for blockchain to flourish in an innovative EU ecosystem.
PBI understands that on 10 April 2018, 22 countries signed a Declaration for Cooperation on a European Blockchain Partnership that will develop a privacy-friendly European Blockchain Services Infrastructure compatible with GDPR provisions.
Several industry participants express concerns of how GDPR “compliant” blockchain technology is.
So does GDPR completely refute the principles of blockchain? The easiest solution appears to involve storing personal data off-chain and storing it in hashed form on the blockchain.
While this reduces several benefits of blockchain technology, it should work in the short-term until wealth managers devise a more robust solution.
Blockchain and GDPR can work in tandem with each other in wealth management for now, but more needs to be done.