Skip to main content

How to Build GDPR Compliant Enterprise Blockchains

BlockApps helps enterprises navigate the EU GDPR regulation.

The General Data Protection Regulation (GDPR) went into effect on May 25th, 2018 and is designed to protect all EU citizens from unscrupulous use of their personal data. With a maximum penalty of €20 Million, or 4 percent of annual global revenue, for those who breach the GDPR terms, EU businesses are taking extra precaution to operate in accordance with the GDPR guidelines.

But what does this mean to businesses who may utilize customer data for their enterprise blockchain networks? How can enterprises still leverage the benefits of smart contracts and distributed ledgers while keeping private data secure?

Blockchain and GDPR

By building a system of data validation rather than data storage, enterprise consortium blockchain enables parties to enforce GDPR while still utilizing the advantages of blockchain. Businesses can create a validated distributed ledger of information across their network, without ever having to store any personal information directly on their blockchain.

Regardless of the Personally Identifiable Information (PII) that may be secured and stored in private databases off-chain, or in the event that this personal data is deleted, the enterprise blockchain will still have a record of the validated agreement.

In other words, it’s not an individual’s data that stored, but rather confirmation that the data was accurate.

“Blockchain applications can help with GDPR compliance if they are architected properly,” says BlockApps Founder Victor Wong. “Enterprise blockchain can create a place to validate private information without ever having to keep a direct copy of that information on-chain.”

In the event that enterprise do need to store and secure PII on their blockchain, private permissioning would ensure that the data is only shared with relevant network members on an as-needed basis. This is less about sharing PII across a network and more about restricting it to only relevant parties.

Since a public chain deals with an innumerable amount of transactions, having private chains, moderated by selected members, ensures that only specific entities on a given blockchain may see different forms of information.

Even if private data needs to be stored, only permissioned members of that network would be able to see it. This means PII data could be encrypted and secure on a blockchain without needing to be visible to the public.

If there is a data dispute, verification information can be used to confirm the validity of the initial information without actually needing access to the personal data. Blockchain attestation can include having users on the network create verified profiles which store PII privately, as well as peer attestation—which assigns trust of profile based on a score of those participating on the network.

While no one solution may fit an enterprises business needs, a combination of these approaches ensures value is transferred correctly within the GDPR guidelines.

How Does It Work?

Let’s use a bank as an example. As a financial institution, you’ll hold a variety of personal information from your customers. Everything from account numbers to home addresses and phone numbers are considered PII under the GDPR. But you do not have to store this information on a blockchain, you just need to store a pointer or a verified hash, and a signature, that validates the data.

Now let’s say there is a dispute regarding a transaction between two consortium account members who have two different versions of the same document. Using a blockchain hash, we can confirm which version of that document is true. The digital signatures on the blockchain will show us which version of the doc was agreed upon.

In the event the original PII data was deleted, the blockchain transaction will still have recorded the verification signature without the specific PII information.

Bottom Line

In an increasingly data-driven world, the GDPR framework aims to create a uniform regulation of information with an emphasis on individual control over the use of their personal data.

“Leveraging blockchain is not only compatible with GDPR but can, in fact, aid in GDPR compliance by using the data-validation methodology,” states BlockApps CEO, Kieren James-Lubin.

Enterprises must design systems that comply with GDPR from the beginning by ensuring PII is protected and verified. This is not something that can be tacked on later— which may result in organizations having to start a whole new blockchain ledger and potentially face penalty fines.

Working with large-scale, multinational enterprises gives BlockApps an unique understanding of how to incorporate these regulations into scalable blockchain solutions.