Blockchain, serving as one of the most complex networks used when dealing with personal data may be regarded as challenging for the applicability and realization of the General Data Protection Regulation Article 17, which gives the data subject right to erasure or a “right to be forgotten” to ones’ personal data. The immutability and decentralized character of the system does not prescribe the erasure of personal data on the chain, as well as poses problems in determining the competent authority responsible for data protection compliance, when the data subject needs to exercise its rights under the GDPR.
As blockchain has become one of the main systems used throughout different institutions in the European Union to facilitate both public and private services, the idea of processing and collecting of personal data in the system, which does not prescribe erasure raised a number of discussions between legal professionals.
Blockchain, serving as one of the most complex networks used when dealing with personal data may be regarded as challenging for the applicability and realization of the General Data Protection Regulation Article 17, which gives the data subject right to erasure or a “right to be forgotten” to ones’ personal data. The immutability and decentralized character of the system does not prescribe the erasure of personal data on the chain, as well as poses problems in determining the competent authority responsible for data protection compliance, when the data subject needs to exercise its rights under the GDPR.
Encryption makes blockchain relatively safe data protection tool, as there is no particular visible personal data. Although, when blockchain is used within business organization, it may involve personal data to some extent. Nature of the data varies, it may be financial or private, as well as concerning the transfer of goods and services, generally depending on the business field that company operates in. Following that, organizations and their business partners would eventually have an access to information identifying the users, starting from e-mails, addresses, financial account details, IP addresses and other similar information that pursuant to GDPR would qualify as personal data.Potentially, if this information becomes available to non-trusted third parties or publicly available, data subject becomes at risk of exposure of current transactions including data subjects’ personal data.
Given consideration to obligations arising under Article 17, the use of blockchain shall not be an exception in terms of applicability of the Regulation if the scope of applicability is satisfied, regardless of complex structure of the chain.
It may be derived that the compliance with the General Data Protection Regulation while using blockchain may not be achieved straightforwardly and it may require vast resources to achieve it correctly. Consequently, if there is a need or a will of the use of private blockchain, the assessment of all the possible risks associated with data protection shall be examined, and specific regulatory guidance issued on each point that potentially may pose obstacles to sufficient data protection requirements.
As a result, compliance process with Article 17 shall be planned by each organization individually, depending on available financial, human, technological resources, amount of possible personal data circulating on the chain and is subject to assessment on its own merits. Regardless, complete compliance with the Regulation when using private blockchain would not be possible, since there will always be risk of re-identifying the data unless erased by physical destruction, due to technological fundamentals of the chain itself. In any event, the choice of private blockchain as the main network that the company operates on has to be accordingly estimated from the perspective of its potential benefits to the company balanced with the potential problems arising from applicability and realization of the provisions of the General Data Protection Regulation.
For further guidance on creating GDPR-compliant blockchain rules in the company or as private individual and secure personal data circulating in the transactions, contact EU LAW FIRM GDPR lawyers to find more information - info@eulawfirm.eu.