Blockchain and UKGDPR – an unlikely partnership

  • Posted

If we asked ten people what Blockchain is, I’m betting (hypothetically) we would get ten completely different answers. Ask a bunch of lawyers to provide a basic definition of it, and it is bound to become a lengthy and complicated one.

At the most basic level, a blockchain is a list of “immutable” transactions that anyone can view and verify; a piece of emerging technology that can send and receive currencies, such as Bitcoin. One key difference between blockchain and a database is how the data is structured – a blockchain gathers data/information in groups “blocks” whereas information within a database resides within in a fixed field or record. If we want to get into slightly more technical differences, a blockchain is a series of blocks of data, linked together by a cryptographic hash to form a synchronised digital database.

Cryptographic hashing is one of the basic parts of blockchain technology, and works by using an algorithm to turn a block of data of any length into a random fixed-length output (a “hash”). Each block of data in the blockchain includes a hash of the previous block. And because every block in the chain includes a hash from the one that preceded it (all the way back to the first block), they form a continuous, unbroken chain that is assessable.

The hash stored in each block of the chain effectively acts as copy of the previous block. However, if the previous block is altered in anyway, it will not create the correct “hash” and the chain will be broken.

Phew!

I am not going to discuss Brexit (well maybe a little), but since the “onshoring” or “retained law” of certain GDPR provisions into UK law (now known as UKGDPR), there seems to be a disconnect between emerging technologies and the current law. For example, if we take the “right to be forgotten” which now sits comfortably as Article 17 under UKGDPR, blockchain’s immutable nature means that the data of any block in the chain cannot be modified or deleted without changing the hash of every block that follows it. The fact that blockchain users worldwide have unfettered access to personal data or identifiable personal information which together can bring about identification of an individual, means that it may never be seen as compliant with UKGDPR. Yet we are seeing more and more of these types of emerging technologies (however volatile they are) in the markets.

One way in which it may be possible to appease the regulators is by creating a blockchain that it is permissions based, in order to “sanitise” any legitimate users and ensure complete adherence to the terms and conditions of business. Moreover, the blockchain could simply remove any personal data or data that is likely to give rise to identification of a person or persons. Storage is also a problem; arguably a centralised system is easier to manage but the exposure and risk of personal information outweighs the benefits unless the operators can show legitimate purposes and duration for storing the data. On a practical level, if every block contains a hash of the previous block and so on and so on, how can one separate the data of one “user” without affecting the whole blockchain? If completely removing personal data is not always possible, the blockchain could encrypt the personal data but we foresee challenges with this.

We would love to hear from experts in the field of emerging technologies on their experiences regarding this issue, so please get in touch with the team.