The Inner Circle

Expand all | Collapse all

Blockchain/DLT and GDPR

  • 1.  Blockchain/DLT and GDPR

    Posted 22 days ago
      |   view attached

    I'm getting through this large document that was recently shared with me but it hits on some great points to how Blockchain/DLT can meet privacy requirements but also the challenges decentralization has with GDPR. 


    Just wanted to share this now so others can help dissect it and provide thoughts before I make it through the 120 pages lol. It is from last year but still has relevancy worth discussing  

    Attachment(s)

    pdf
    EPRS_STU(2019)634445_EN.pdf   1.09MB 1 version


  • 2.  RE: Blockchain/DLT and GDPR

    Posted 19 days ago
    "...the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements, such as Articles 16 and 17 GDPR. Blockchains, however, render the unilateral modification of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Furthermore, blockchains underline the challenges of adhering to the requirements of data minimisation and purpose limitation in the current form of the data economy." ​​

    This is very intriguing. @John DiMaria and @Kurt Seifried I'm curious to hear what your thoughts are. It seems like John Y. said there's some inherent tension between GDPR and Blockchain as well as some benefits.

    ------------------------------
    Elisa Morrison
    Digital Marketing Specialist
    CSA
    ------------------------------



  • 3.  RE: Blockchain/DLT and GDPR

    Posted 19 days ago
    So... yeah. Ive actually run into this, with data in Git (which has certain blockchain like properties, mostly it's missing a consensus/distributed mechanism, but the data in it cannot be modified without breaking the hashes/etc).

    The solution was to update it and "remove" the data the person wanted removed, so it was still in the older data (e.g. looking at a specific commit would view it) but looking at the "current" data would not show it. So that's one possible option.

    A second solution is to use a blockchain that blinds personal data like https://opencpes.com/ (a CloudSecurityAlliance Labs project.

    A third option is to use a blockchain that allows for modification or deletion of older data, these systems are not popular or mature yet, but there are a variety of patents on these.

    A fourth option would be to invoke the "business need" aspect that GDPR allows.

    The best and most likely solution for most people will be to blind data in the manner OpenCPEs does or use similar strategies.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    kseifried@cloudsecurityalliance.org
    ------------------------------