Blockchain and GDPR: Friend or Foe?

Blockchain and GDPR: Friend or Foe?

Author: Michael Hathaway

The EU’s General Data Protection Regulation (GDPR), which seeks to protect individuals’ Personally Identifiable Information (PII) is driving a new level of transparency, giving people the right to restrict its use or request it be deleted all together. It’s also causing enterprises to rethink how they are managing personal data associated with devices being increasingly connected over the public Internet.

As companies continue to grapple with what this means, beyond the obvious collection of data on websites, social media sites, in messaging applications, and more – specifically addressing how to provide a “companion app” related to a connected device to allow “opt in and opt out” is impact product development and marketing.

In the case of connected devices, can blockchain help manage the oceans of data and millions or even billions of privacy-related transactions better than other technologies?

This is not an easy question to answer, given that blockchain by its nature is an online electronic distributed ledger technology that creates an immutable record for recording a history of transactions. On the surface, therefore, if blockchain database interacted with PII data, it would break GDPR rules.

Blockchain ledgers can be appended but the information on the network cannot be deleted or modified.

What do the experts say?

Gennaro Cuomo, an IBM fellow and vice president of the company’s Blockchain Technologies unit, wrote in a letter to the US House Committee on Science, Space and Technology and Subcommittee on Oversight & Subcommittee Research and Technology that blockchain can co-exist and even enhance privacy regulations including GDPR and HIPAA.

“Accountability means the participants transacting in a network, and the data they are transacting on, are both known and trusted. In an enterprise ready blockchain, participants are known and are identified by membership keys. The data can be trusted because transactions committed to the ledger are immutable – such that they cannot be removed or changed by the actions of a single party.

Cuomo went on to say that enterprises are obligation to keep transaction data and the transactions themselves confidential. He continued, “An enterprise blockchain enables confidential communications when information is not desired to be shared with the entire network.”

IBM released a white paper that explains blockchain can support GDPR. However, the company notes, personal data should never be stored on the blockchain.

Instead, IBM is focusing its blockchain efforts more on industrial use cases, for example managing cross-border payments, supply chain management, and asset tracking.

There are two forms of blockchain: public and private (or permissioned), and enterprises are exploring both sides.

Blockchain-based cryptocurrencies, for example, use public blockchains, with information shared on the electronic ledgers. These ledgers also offer anonymity for users because the origin of the data for each transaction is encrypted and only accessible through a hash key. Those keys belong only to the users and the financial institution backing the transactions.

Businesses are mainly interested in private or permissioned blockchains, where a central authority governs who is authorized to partake in the electronic ledger. This is the space Cognida operates in.

In a report released last in early 2018, Forrester Research said blockchain is ideal for meeting new government data privacy requirements and serving as a trusted repository for identification purposes, however they also argued that “Personally-identifiable information should never, ever be stored on a blockchain-based network.”

Martha Bennett, a principal analyst at Forrester Research and co-author of the report recommended that “companies linking PII to on-chain records need to have mechanisms in place that allow that link to be broken irrevocably.”

So, is blockchain a friend or foe of GDPR? In a way, it is both.

Bennett wrote that blockchain-based systems can be used to track consent as well as the fulfillment of deletion requests, for example.

The Sovrin Foundation, a nonprofit organization now developing the Sovrin Network, enabling anyone to globally exchange pre-verified data with any entity also on the network. The organization claims that with blockchain, identity theft and fraud can be significantly reduced while Anti-Money Laundering rules are enhanced.

The technical architecture that enables the Sovrin version of Self-Sovereign Identity (SSI) and the creation and use of these digital identities is made up of three key components:


  1. Digital “Wallets” that hold Credentials (as defined below) and certain other cryptographic materials;
  2. A unique peer-to-peer communications protocol facilitated by pieces of software called “Agents” that form an “Agency Layer”; and
  3. A public permissioned distributed ledger (the “Sovrin Ledger”)

Each Identity Owner or Thing (a “Sovrin Entity”) has a Wallet that contains or holds digitally-signed verifiable credentials (“Credentials”) containing certain information, e.g. claims or attributes, about that Sovrin Entity that have either been issued by an “Issuer” or self-issued by the Sovrin Entity.

The Sovrin Entity who is the subject of a Credential held in its Wallet is known as the “Holder” of that Credential.

Instead of a physical card, however, the IDs in digital wallets would be encrypted and link back to the institutions that created them, such as a bank, a government or even an employer. Through the blockchain, those entities could automatically verify information to a requestor without providing any other details.

A lot depends on the architecture of specific blockchains and – importantly – the platforms and networks the connect with.

Blockchains with privacy and GDPR compliance baked in are positioned to have advantages over those blockchains who store personal data. Sovrin, for example, uses a directory that points to an individual’s data, stored in more traditional places, implementing the GDPR’s privacy rules as a feature of their service.

Enterprises are learning that they will need different blockchains for different applications, systems and clouds, and Cognida is helping solve for that complexity – by helping enterprise avoid complexity through management tools (a blockchain-agnostic network and platform) that help ensure productive oversight and operations.

When the same IT team needs to support GDPR compliant – and non-compliant blockchains – planning up front is key, and creative, particularly when blockchains are connecting not just internal assets but third-party systems in the unstoppable “API for Everything” new world.

The biggest question may be this:

Is GDPR enough? It still allows user data to be controlled by a Cloud provider and with that cloud providers security and privacy policies. Users still need to get permission to access their data. GDPR just requires that Cloud providers delete a users data upon request in a timely manner.

We can do better.

That’s what Cognida aims to do.

About the Author:

Leave A Comment