Companies and startups that implement blockchain share the same burdens as any other when it comes to the GDPR. They all should limit automated data collection and define the rules of its processing. Blockchain technology companies are to introduce data protection measures and notify users of data breaches. Besides, they should provide data reports and deletions upon request.
Blockchains themselves can be either GDPR-compliant or GDPR-non-compliant, depending on the data recorded on them. If you were to submit personally-identifiable data on to a blockchain and permanently record it there, it would be challenging to have it removed later. On the one hand, it doesn’t comply with GDPR principles, but on the other hand, blockchain can be very helpful in terms of data security. Having a decentralized database could dramatically decrease the chances to be hacked.
Experts have divided into two camps. Some say that blockchain can revolutionize the way we think about personal data. The others state that GDPR and blockchain aren’t compatible. Here are some of the answers to the question “Can the GDPR kill the blockchain?”
Erik MacKinnon, Director of Growth at Blockmason
“In short, no. If anything, legislation like the GDPR proves the need for decentralized, anonymous and/or privacy-focused blockchain technologies. Although legislation rarely proves effective in curtailing hacks and data theft.
It seems like every day there’s another example of a large company with big data doing very little to responsibly secure and protect it. Just today I read that Ticketmaster suffered a hack and 40,000 people had their data stolen. It’s crazy.
A significant first step for many companies would be to decentralize their critical user data so that it’s not all stored in a single, hackable database. By leveraging existing blockchain technologies, a company like Ticketmaster could have avoided disaster”.
Alan Majer, Good Robot Founder
“For blockchain practitioners, the implications are very clear, don’t store personal data in the blockchain. The ‘forever’ nature of blockchain data is incompatible with the requirement that personal data must be erasable. The best strategy is to keep it out of the blockchain in the first place.
However, it’s virtually certain that someone, somewhere, is going to put personal data into the blockchain. Regulators will not want to hear that the blockchain is exempt or that data can’t be deleted. So when it happens, it’s going to create a problem. Even if one can punish the party responsible for it, it may not be possible to correct by removing the data. The genie is really already out of the bottle. I think it’s unlikely that the GDPR will ‘kill’ the blockchain any more than we could shut down the entire internet. Ensuring that blockchain practitioners have adequate data management and privacy practices in place will go a long way to preventing these types of issues.
At this early stage, it’s hard to say whether the GDPR will create more harm than good. Maybe someday nations will want to keep personal identities and certifications in the blockchain itself because of their permanence and resistance to forgery. Current approaches to personal data certainly warrant caution. So we also need to ensure that premature regulation doesn’t cut ourselves off from innovative possibilities later”.
Obviously, the question is not in the way of how to store personal data but in the lack of legislature basement. No matter how innovative the solutions would be. If there are no laws that regulate how companies should process personal data, everything is for nothing.