How will GDPR affect Blockchain?


(Karthik Kamalakannan) #1

I was going through the General Data Protection Regulation (GDPR) proposal and I came across this point which said that the users reserve the right to delete all of their data in a technology product.

With blockchain picking up pace in the industry, which lives on the promise of transparency and data retention, I was wondering how any product that is being built on blockchain would comply with GDPR.

I know as a matter of fact that there should be a way to make blockchain work with regulations like GDPR. But how is this going to happen? Should there be a re-write of the blockchain’s core structure or something else must be done?

Can someone please throw some light on this?


(Naveen Honest Raj) #2

We can approach this problem by encrypting the data - mandatorily and when the user wanted to delete the data, if they just delete their private key then it will consequently make the encrypted data useless. Thus by having the private key under the control of user-only-approach, we can provide user the option to delete their data theoretically.

I hope GDPR would comply with this approach. But. I am not sure about this yet @karthik


(Karthik Kamalakannan) #3

This makes sense. But I was assuming that the EU is going to be really hard on this considering the complications platforms like Facebook and Google has when it comes to deleting user data.

I was digging around the compliance, and I’m starting to realize that this policy could completely invalidate the entire blockchain use-case for a lot of private information storage. But blockchain could be of use when storing public information like tax records, land registrars and such.

It is pretty complicated on the high-level. But I’m just being optimistic.


(Karthik Kamalakannan) #4

One more way of using blockchain and still stay compliant might be to use something like Off-chain transactions.

This method seems fine, but still, there is a risk of the user data being re-created, even without having to know their personal details. The main reason being this data is stored based on the ID and the hash.

I’m working to see if there is some possibility to segregate user data and the actual blockchain and still take advantage of all the features that blockchain brings to the table.


(Naveen Honest Raj) #5

This approach sounds fine to me. But however, even in a “normal traditional” web application, if a user needs to “completely” delete himself/herself from the system, some of the data-transactions made by him/her will be shadowed down.

For example, in a application where he/she made some transaction to another person, we still need to hold the transaction data to validate the other person’s holdings. In that case, we might have to shadow-down the information to not map to anyone. But the transactions like “Commenting on certain posts” can be deleted because these data won’t be contributing to other person’s data-validation part.

I guess the same case would go with blockchain in terms of working in “Off-chain transactions”


(Karthik Kamalakannan) #6

True that. But on the other hand, there could be one more potential architecture that we could try. Where we store the ID, which references to the data that is stored within the blockchain and is hashed.

This way, the user’s personal data is stored in the database outside of the blockchain, and the use the anonymized ID to be stored in the blockchain.

So now, when a user wants to delete their data from the product, we delete the data that is residing outside the blockchain. But the data in the blockchain which is completely anonymized will not make sense anymore.

What do you think?