GDPR & Blockchain – A Programmer’s Guide
Does blockchain follow the General Data Protection Regulation (GDPR) guidelines strictly or not? This question is trending and creating many different perspectives on the topic. People around the globe are talking about this topic. Persuasion and thinking varies per individual, so they have split into two groups. One group says it’s possible for blockchain to follow GDPR guidelines with some changes, whereas the other groups say that It’s impossible!
Concept wise, GDPR and blockchain are as different as chalk and cheese. However, with slight modifications, they can become two sides of the same coin!
GDPR was developed following concerns about data protection. The GDPR laws focus mostly on two aspects, centralization and modification of the data in case of privacy violation. Both aspects of GDPR refer to a single point that “every process in GDPR, which includes working, modification, etc., is supervised or controlled by a board of people to whom we refer to as controlling authority.” On the other hand, blockchain makes sure the data is encrypted and “immutable,” as experts say.
At present, we all are concerned about our data privacy. We don’t want our confidential or private data to reach some stranger’s hands. Data security is necessary, and the technologies that we use should take it seriously. Blockchain is a useful technology, but (yes, there is a pause here) does it comply with data privacy laws? Are programmers aware of these concerns in blockchain?
This article discusses this issue and will show readers how to achieve data security with GDPR compliance. We’ll also address the following concerns:
- Is there a concrete connection between blockchain and GDPR?
- How are programmers affected?
- What is the programmer’s role in making blockchain compliant with GDPR?
Let’s see how GDPR and blockchain can coexist with the effort of skillful developers.
GDPR Compliance in the Blockchain: The Possibilities
The major problem with GDPR compliance in blockchain is the immutable nature of blockchain. The data residing or stored in blockchain is hard to alter, and if it’s a public blockchain, it’s a direct conflict with GDPR guidelines. However, there are some possibilities for overcoming this conflict.
One might even wonder, at first, whether there is a solution.
The answer is yes. A developer always has a solution, even if it is complex (in my sense or view, it’s more like a programmer’s responsibility). Well, I’ve figured out such a solution, and I’d love to share it with the coding community.
Two Terms To Keep in Mind
First, let’s get familiar with two terms that are used as focus points and are important to remember.
Data controller: In GDPR terms, the data must be properly controlled, and so there will be a data controller. It controls the data to check whether the GDPR rules are followed or not.
Data processor: The data is either processed via an in-house team or is outsourced to a third-party processor.
These two terms are very important according to GDPR guidelines. If we are freelancers and the client has instructed us to do a job, then the client acts as the data controller, and we’re data processors. In the case of companies with in-house staff, they become both controllers and processors.
Let’s see how these terms apply to blockchain.
The first thing we need to know is whether there are any such terms in blockchain? I would say no. Blockchain focuses on decentralization, which is exactly opposite to GDPR’s goals.
In the context of blockchain, there is really an issue. There is no real controller. Instead, the data gets added to the blockchain after proper validation. Validation is processed not alone but as a network of nodes. They all get a copy of the data, and after the data validation, it gets added into the blockchain network as a block.
The real challenge begins here. As per GDPR guidelines, if an EU citizen wants his data edited or deleted, the blockchain guys need to get it done. However, the data can’t be edited or erased once it’s validated. Once a block is added, it is added, and it’s invincible!
(The invincible blocks of a blockchain)
Hmm, no solution?
Well, there is a solution!
Resolving the Conflict Between GDPR and Blockchain
Now that we know about the conflict between GDPR and blockchain, it’s time to reveal that solution! It’s a simple one:
- Encrypt data individually with public and private keys.
- Encrypted data is validated and added in blockchain as blocks.
“[A] public key is provided for public access and it can be accessed only with a private key. Individuals get both public as well as private keys. The public key will be in the blockchain and with the private key, the concerned individual gains access to his/her data.” (Source: Epixel)
If you want some data erased, just delete the public key. If there is no lock, what’s the purpose of having the key in your hands. That’s what happens here; without the public key, a private key is useless. There is no way to decrypt the data.
It’s not actually erasing the data but permanently removing the chances of accessing it. However, in the future, there might be new technologies (people are working on it right now) to decrypt the data, and existing systems like quantum computers can already do it.
This is the best available method to make blockchain compliant with GDPR guidelines, at least for now.
Data Privacy Best Practices With Blockchain
I know the difficulties provided by laws like GDPR. It’s hard for everyone in an organization, including the developers. Moreover, security concerns must always be taken into consideration.
Here are some of the actions you should take to make sure data security is maintained.
Prefer Private Blockchain Over Public Blockchain
As I mentioned earlier, copies of the same data are stored on all the connected nodes. If the network is public, anyone can become a participation node if they possess the required criteria. Data is validated only once the majority of these nodes approve the data.
There will be a limited number of nodes in a private blockchain, and only a closed network gets access to the data. Following this method by limiting data validation in a closed group minimizes the bridge between data law compliances in the blockchain.
Keep Privacy Data in a Unique Ledger
Instead of making all the data public, personal data can be added in a separate ledger. The data that is subjected to GDPR guidelines is added in a single ledger.
What is the advantage of keeping a separate ledger? Keeping the data inaccessible or not adding to the blockchain as public ledgers erases major concerns of data security.
Blockchain works based on coded rules that can be defined using smart contracts. So, new rules or criteria can be set on a smart contract for this separate ledger with provisions to modify or delete the data as needed.
Difficult Doesn’t Mean Impossible
With the encryption solution and the privacy best practices, blockchain can meet GDPR compliance up to a certain level, and the risk is comparatively low.
Blockchain developers like us have to face many similar situations. Blockchain as a technology doesn’t hinder people’s rights to have full control over their data. In fact, it assures it with these slight modifications, making it compliant with GDPR guidelines.