Blockchain’s explosive growth has had businesses all over the globe scrambling to invest. But with GDPR fast approaching, how will an unchangeable database cope with the right to be forgotten?
How do you inflate your share price by 400% in a day? The answer is simple: add the word blockchain to your company’s name. As absurd as these figures seem, this is actually what happened last October to venture capitalist firm On-line Plc, following their decision to alter their name to On-line Blockchain Plc.
This shocking report is an accurate reflection of the current level of hype surrounding this new technology, with companies left, right and centre moving to adopt blockchain. A reported 57% of large UK corporations now have immediate plans to implement blockchain into their infrastructure by the end of 2018, while demand for blockchain specialists has nearly tripled in the last year alone. But while organisations have been avidly investing in this new phenomenon, they have also (rather more reluctantly) been preparing for an equally important, but slightly less exciting, development in the tech world: GDPR.
Much of the hype surrounding blockchain has been garnered because it is an immutable method of storing information- meaning that once information is loaded onto the blockchain, it cannot be edited or deleted. However, come May 2018, this unique feature may bring more pain than joy to businesses, as one of the most significant clauses in GDPR comes into effect: the right to be forgotten. This stipulates that individuals have the right to insist that organisations erase any personal information they hold on them. Apply this clause to blockchain, and the result is a non-compliant system and a £17 million fine. So what options do businesses have?
Edit the uneditable
One answer is to change blockchain itself. Accenture, for example, have recently patented an “editable” version of blockchain, which can be altered under certain circumstances by pre-ordained parties- a modification that could be easily moulded into being GDPR compliant and, at first sight, an appealingly easy solution.
However, there are some problems with this approach. As critics have pointed out, one of blockchain’s key (and unique) values is its immutability. It is this feature, making it immune to certain kinds of malicious interference such as misappropriation of assets or fraudulent financial reporting, that gives it so much appeal. By allowing even the possibility of interference, its trustworthiness as an absolute source of information is diminished. For organisations such as banks and other financial institutions, who are anxious to utilise the power of blockchain to build trust and protect against this kind of interference, an “editable blockchain” is unlikely to be a satisfactory solution.
For those who are either unwilling or unable to adopt an editable model, legal solutions may be sufficient. GDPR itself offers no explanation as to what “erasure” actually constitutes, and, while this might seem obvious at first sight, it could be an opportunity. In the past, for example, some authorities have ruled that encryption can legally be equal to deletion- that is, if data is irreversibly encrypted, it is considered to be erased. It is possible to apply mechanisms like this to data stored on blockchain, via encrypting pieces of data and then “losing” the decryption key- effectively meaning that the information can never be read.
However, this is a risky solution for organisations. As the data is not actually deleted in this process, but simply rendered inaccessible, it may be vulnerable to future technological developments able to break into its encryption (quantum computing, for example). With this in mind, it is likely that European authorities will insist on a strictly all-or-nothing interpretation of data deletion- meaning that relying on mechanisms such as encryption to achieve compliance would be dangerous.
If neither of these options suffices, businesses can take a more extreme route: remove personal data from the blockchain completely. This does not necessarily mean disposing of blockchain too- one possible workaround, described in more depth here, reduces blockchain to a simple “access control medium”; instead of storing personal information on the chain, links to external databases containing said information can be placed in blocks. As the rules of blockchain no longer apply in these external databases, any information stored like this could be freely deleted or changed at will. The benefits of this approach are clear- it allows for full, uncontested erasure of data, while still retaining some of the functionality of blockchain.
However, as with other options, this is still not a wholly satisfying solution. It creates an inefficient, complex process, and reduces transparency over who is accessing personal data and how- paradoxically creating even more hurdles to GDPR compliance, which also requires that organisations must have accessible and transparent processes for data management. Additionally, removing data from the immutable environment of blockchain gives rise to the same problems faced by Accenture’s “editable blockchain”; external databases can be altered or subjected to fraudulent interference, and so the trustworthiness of the system is undermined.
An uncertain future
So where does this leave organisations who use blockchain? The answer, at this stage, is frustratingly unclear. Every solution detailed above involves either sacrificing the functionality (and benefits) of blockchain or risking the security of personal data. The latter is hardly an attractive option, and if organisations must transform the blockchain beyond recognition to become compliant with GDPR, it begs the question- what is the point in using the blockchain at all? Yet it is hardly practical for authorities to demand that organisations simply stop using blockchain, given its soaring popularity, proven benefits and widespread adoption.
In ethical terms, Blockchain’s immutability is a paradox: on the one hand, it helps to prevent corruption, fraud and theft; on the other, it removes the individual’s rights over his or her personal information. This paradox makes it a complicated system to legislate effectively for, and the current tensions are symptomatic of lawmakers’ struggles to keep up with new developments in the fast-paced and ever-changing world of technology. In this case, it may not just be businesses that need to adapt; legislators too may need to take an iterative and flexible approach to GDPR.
Come May 2018, reconciling GDPR and blockchain will likely be just one challenge among many for both corporations and legislators. Yet as blockchain becomes ever more tightly wound into the infrastructure of major organisations around the globe, it is not a challenge that either can afford to ignore.