The General Data Protection Regulation, or GDPR for short, will come into force across Europe from 25 May 2018. GDPR gives individuals more control over data held about them by organisations. Individuals will be able to order an organisation to carry out a range of actions with their data including exercising their ‘right to be forgotten’; to have the organisation delete all the data it holds about them.
At Studio Block we work on blockchain technology; digital data-stores with a high data-integrity where information can’t be deleted even if you want to do so. GDPR and blockchain seem to be at loggerheads with one another.
The key to the puzzle is anonymous data. Truly anonymous data does not count as personal data in the eyes of the GDPR. The new law applies to ‘information relating to an identified or identifiable natural person’. The key part is that term; ‘identifiable’. It does not apply to data that ‘does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.’
Interestingly GDPR talks about the data owner being a ‘natural person’. The definition of this is a ‘human being; a real and living person, possessing the power of thought and choice’. So, if you die, no one else has GDPR rights over your data and companies can continue holding the data of the dead. In contrast, the exact meaning of ‘anonymous’ is not well defined. Just removing a name from some data does not necessarily make it anonymous (the combination of age, gender and postcode is enough to exactly identify 87% of the USA population). In the terms of GDPR, data is anonymous if you can’t process it and link it to someone by legal means, for example by cross referencing it with other data that you have a legal right to use.
There was a ruling in Germany recently where dynamic IP addresses were classed as personal data because a website operator has the legal means (via the ISP) to identify the visitor whos IP address it was.
Pseudonymisation is a sort of half-way house to anonymous data. It means storing the identity items of the personal data separately from the main body of the personal data and then linking them together in the system with some sort of association. Any request for deletion of data can be fulfilled by deleting just the identity items, leaving the rest of the data present in the system as non-personal, anonymous data (it actually still is personal data in a way, but you just don’t know whose it is).
Pseudonymisation reduces risks with data storage but it doesn’t automatically make data exempt from GDPR. The data complies with GDPR only if it is pseudonymised correctly, i.e. when you get rid of the key record then the remaining data becomes truly anonymous. Once again the GDPR is clear that if you can cross reference with other data sources and get the person’s identity then pseudonymisation isn’t really pseudonymisation:
“Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person” (or in other words ‘If you’ve pseudonymised it but you can still work out who it’s about then it hasn’t really been pseudonymised!’).
For example, if you pseudonymised some information simply by taking the name details out of it but left the address in it, then that data would still count as personal data because someone could legally get hold of voter records and link that address to the person.
The conclusion seems to be that blockchain can be used in a post GDPR world but that you have to tread carefully and plan all your data structures and processes with the restrictions of GDPR in mind at all times. This mindful approach to developing data systems is itself enshrined as part of the GDPR legislation.
A final thought to ponder on is that if appropriate care is not taken and personal data ends up on the blockchain, then the very nature of the blockchain itself makes conventional prosecutions difficult. As a blockchain is not really owned by anyone and as it is stored in multiple copies on different computers then who should get prosecuted under GDPR? The person with a copy on their machine? The creator? And even though fines can be levied, the blockchain can’t be undone, the data on the blockchain will always be there.