How Does GDPR Affect Blockchain And Cryptocurrency?

Since the advent of the General Data Protection Regulation (GDPR) regulation, organisations, both large and small, have been affected, including companies involved in blockchain and cryptocurrency that have to ensure that their infrastructure is GDPR compliant.

Blockchain And Cryptocurrency

The fundamental logic behind blockchain is its security and encryption that makes data unreadable to others without the decrypt key, which will return the encrypted data to its original context. Transactions once written to the blockchain are unchangeable, they cannot be deleted, as this would corrupt the blockchain. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR). Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR).

With the blockchain, an individual can review the complete audit trail of the cryptocurrency transactions for example; this gives complete transparency to all blockchain and cryptocurrency transactions that are written to the public blockchain. Transparency on private blockchains is different, as access becomes limited to those with access to the private key.

GDPR Implications

The regulations and rules of the GDPR are well documented with one of the fundamental values being the right to have your personal information erased. Organisations should perform a GDPR audit on a regular basis to identify the key risks and determine how to mitigate these risks. Another key element of the GDPR is the regulations behind how your data can be transferred outside the EU.  With websites, for example, this can be easier to manage, but with blockchain and cryptocurrency, this becomes more complex as there is no control over where the nodes of the blockchain are hosted.  These nodes could be located anywhere worldwide!

When the GDPR regulations were formalised, blockchain was in its infancy as it is likely this was not fully considered by the decision-makers.  The GDPR regulations presumed it would always be possible for data privacy to be maintained by deleting unwanted data. With the data written to the blockchain, this is most certainly not the case.

How Do You Ensure That Blockchain And Cryptocurrency Are GDPR Compliant?

GDPR effects on what can be stored on the Blockchain. In line with the GDPR Regulations, personal data should not be written to the Blockchain, as the data cannot be amended or erased once written. Organisations need to put in place GDPR compliant policies and procedures to ensure that they are compliant and could use policy generators to do so.

A possible solution for blockchain and cryptocurrency transactions is that the personal data is not stored on the blockchain, but personal data is stored externally to the blockchain but linked by a reference generated on the blockchain.

The Goal Of GDPR

The GDPR’s main goal is to return the ownership of personal data to the individuals. One of the critical elements of the GDPR is the right to have your personal data erased. The blockchain relies on the encryption keys, by no longer having access to the encryption keys, this makes the data inaccessible. But this is still not sufficient to be classed as data erasure. As the personal data will always be stored on the blockchain.