Blockchain Firms: EU GDPR Guidance and Best Practices

Blockchain Companies Get GDPR Advice from EU Consulting Body

In addition to offering blockchain ventures advice on data protection compliance, the EU Blockchain Observatory and Forum has appealed again to EU authorities to resolve the existing tension between privacy protection laws and DLT.

The European Union Blockchain Observatory and Forum, a consultancy body under the umbrella of the European Commission, has published guidance on how distributed ledger technology (DLT) companies can avoid breaching the General Data Protection Regulation (GDPR). The tips are contained within a report about blockchain and GDPR released on Tuesday.

According to the document, which was prepared by ConsenSys, blockchain companies should first analyze how their DLT products create user value, whether personal data is part of that process and if not, whether a real need exists to store that type of information by using blockchain.

Secondly, companies should implement various tools to anonymize the information to a maximum degree in cases where personal data plays a part in the value creation process. When using techniques such as reversible encryption, hashing (non-reversible encryption), and data obfuscation, enterprises should analyze the so-called reversal and linkability risk. The first one occurs when a system makes it possible to reverse the process and reconstitute the original data, as in brute force decryption. The report explains the second as “the risk that it is possible to link encrypted data to an individual by examining patterns of usage or context, or by comparison to other pieces of information.”

“It may seem surprising at first, but even if strong encryption is employed on personal data, the result is almost surely pseudonymous, not anonymous. This is for the simple reason that, as long as the key exists somewhere, the data can be decrypted, leading to a reversal risk,” the paper explained.

Private, permissioned DLT systems can easily meet GDPR provisions, the advisory body’s analysis of several cases has shown. The Forum advises:

“Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.”

The organization again called on EU authorities to address the issues that create tension between GDPR and blockchain businesses, mainly the erasing clause, the identification and obligations of data controllers and processors, and the anonymization process by using blockchain.

“GDPR compliance is not about the technology, it is about how the technology is used. Just like there is no GDPR-compliant Internet, or GDPR-compliant artificial intelligence algorithm, there is no such thing as a GDPR-compliant blockchain technology,” authors Tom Lyons, Ludovic Courcelas, and Ken Timsit wrote.

Enforced in May this year, GDPR is one of the hotly debated topics in the blockchain industry as the framework aims to protect personal data. One of the provisions is the obligation to erase personal information on a client complaint – a rule hard to follow by companies that use DLT.