Emerging technologies and regulations have the power to create or kill businesses. The EU’s GDPR and blockchain technology such as Distributed Ledger Technologies (DLT) has the potential for such profound impact. Both the GDPR and Blockchain highlight the possibilities and pitfalls of disruption.
GDPR gives the power to individuals to have access and control over the use of their data while the foundation of blockchain relies on the immutability of data. When we look at these two concepts we find that they are in sharp contrast with each other.
The GDPR has made a great effort by requiring transparency in what companies will do with consumer data. It allows mandate clear consent mechanisms to ensure that consumers understand what companies are sharing with whom and for what purpose.
GDPR gives the ownership of data back in the hands of the consumer, hence making them more powerful. This same right presents one of the most significant challenges for companies to operationalize. There are some obstacles such as backups, legacy systems, and a lack of holistic information governance programs for effective search. Although finding and deleting an individual consumer’s data within a single company is possible without fundamentally impacting system functionality, but performing that same operation on a blockchain may be very difficult.
According to reports, another problem is how the GDPR defines the rights and responsibilities of data controllers, processors, and sub-processors. A controller is anyone who determines the “purposes and means” of the personal of processing data and a processor is anyone who insomuch as touches the data on behalf of a controller. These roles are often overlapped. The distinction between controller and processor can be debated in defined business relationships using mature technologies, but the discussion is likely to get messy in a blockchain solution where every node is arguably a processor or possibly even a controller. All of this has yet to be tested through enforcement action, but fines for noncompliance can be levied against controllers and processors, which could cripple a public blockchain solution that stores even pseudonymized personal data.
The GDPR is forcing traditional companies to rethink their business models and their geographic footprints.
Ultimately, lawmakers and technology leaders will have to meet in the middle with blockchain solutions that store as much personal data off chain as possible and privacy regulations that allow for a variation on the right to be forgotten that can accommodate this new transformational technology. In the meantime, businesses would be advised to incorporate a focus on security and privacy in their innovation initiatives.