Navigating data protection compliance with blockchain technology

The European Data Protection Board has adopted guidelines (subject to consultation) processing personal data through blockchain (the Guidelines).

Although the Guidelines have been developed in connection with EU GDPR, they may still offer useful insights to those exploring the use of blockchain to process personal data in the UK.

Understanding blockchain and EU GDPR

In brief blockchain is a digital ledger where transactions are recorded in blocks and linked in a chain. This technology is decentralised, meaning it is maintained by a network of nodes rather than a single entity. While this offers security and transparency, such technology may create a pose some risks of non-compliance with data protection laws if the technology is not designed with those laws in mind.

Key takeaways from the Guidelines

1. Try avoid storing personal data on the blockchain: Once data is stored on a blockchain it is difficult to delete or modify which may make it tricky to comply with certain data protection requirements (e.g. right to erasure, right to rectification). Therefore, organisations should avoid storing personal data directly on the blockchain. Instead, organisations should use techniques like off-chain storage, where data is stored outside the blockchain, with only references or proofs stored on-chain.
2. Data protection by design and by default: Organisations must integrate data protection principles into the design of their blockchain solutions. Data subject rights under EU GDPR are technology neutral therefore, blockchain technology must also be designed as to enable data subjects to exercise their such as the rights to access, rectify, and erase their data
3. Roles and responsibilities: It is crucial to clearly define the roles and responsibilities of all parties involved in the blockchain network for each processing activity carried out on the blockchain.
4. Data subject rights: EU GDPR grants individuals rights over their personal data. Blockchain's permanent nature can make it difficult to comply with these rights. Organisations need to find ways to allow data subjects to exercise their rights.
5. Data Protection Impact Assessment (DPIA): DPIA’s are required where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. Before implementing blockchain technology, organisations may need to consider if it needs to conduct a DPIA (and keep this under review) to identify and mitigate potential risks to data subjects' rights and freedoms or if it should consider implementing an alternative technology.

While blockchain technology offers many benefits, its use in processing personal data must be carefully managed to comply with EU GDPR. For those considering blockchain technology the Guidelines sets out a useful framework of key considerations for EU GDPR compliance.

The Guidelines and public consultation may be accessed here.