These precise characteristics, inherent to this node technology, have direct repercussions when examining the impact of the right to personal data protection, which become part of this blockchain. The impacts are extremely positive in some cases and, in others, pose challenges not only for industries, but also for control authorities.
Firstly, I need to make a brief introduction to personal data protection as a fundamental right (inherent to people) that gives them the ability to decide how their data are managed and, on the other, grants them the power to bar third parties from using their data beyond that which is permitted, meaning for purposes different than the reasons for which they are being compiled.
These powers translate into a series of rights that people can exercise with the party using (processing) their personal data, such as accessing, deleting or modifying them… etc. However, it also creates a series of obligations for data controllers (the people who decide which data and aims are employed during processing).
This series of rights stemming from data protection makes us wonder: How does blockchain come into play and interact with these rights. Below, we detail a few principles that are strengthened by this type of technology, along with the challenges.
Blockchain as a personal data security guarantee
One key issue to comply with regulations is the ability to guarantee the security of the data being processed and, also, being able to prove it. This is known as the proactive responsibility principle.
It is undeniable that blockchain technology contributes enormously to the task of ensuring that processing is done with the full security guarantees required by regulations, and provides the ability to prove this. Security schematically translates into three core areas that are set out in the GPDR: availability (people have access to their data and they are “available” when needed), integrity (data are not altered or deleted for unjustified reasons) and confidentiality (data are not disclosed to third parties without authorization).
There are also two additional angles in the world of security: traceability (ability to detect changes) and authenticity (ability to guarantee truthfulness).
Blockchain lets each block (or “node”) store an exact copy of the chain, so that in the event of a cyberattack or cyber incident, the data will continue to be available in the rest of the nodes, thus fulfilling the availability principle.
Moreover, as data are consensual records, if an attacker wants to change data, at least 51% of the blocks must be modified in the entire chain. And, if they are altered, there will be proof. This leads to ensuring the guarantee of the principle of integrity.
Since these personal data are encrypted when they are added to the chain, this then guarantees their confidentiality.
Finally, it is clear that the data will have a guarantee of authenticity, since any change to the information in a node must be verified and approved by all the other nodes. Further, the traceability of all information can be ensured, due to the continuous replication of the chain.
In conclusion, while we must bear in mind that one of the tenets of security is that all technology is vulnerable, blockchain is indeed a robust and advantageous technology in this area.
Challenges: How to adapt technology to regulations?
This is one of the main challenges that sectors must consider when using blockchain to guarantee security.
The nature of blockchain technology makes it technically impossible to handle a request from an interested party to rectify or delete their data. Nonetheless, there are other possibilities such as marking the data, so that there is proof that they have been modified, recording data while encrypted, or using multiple IDs (in which some data are anonymous and others are not) to ensure that interested parties never lose control over their data.
Another challenge of blockchain is how it clashes with the principle of minimizing the time data are kept. According to the General Data Protection Regulation (GDPR), data must be deleted when the period of time ends on which their processing was based. In this regard, several control agencies have already made statements concluding (without a firm determination that it would be incompatible) that – since in blockchain the storage period cannot be further minimized – this period is essentially how long the blockchain itself exists.
In conclusion, blockchain is a disruptive technology that provides numerous advantages to DataPorts in terms of productivity, agility and, in short, competitiveness, but also in terms of security and privacy.
Advances and detailed studies will progressively provide guidelines for improving compliance methods in the areas that are still cloudy. But meanwhile, the main issue is to have a solid compliance strategy based on a data governance framework and a culture of proactive responsibility, along with strict compliance with the duty of transparency. This will guarantee that interested parties know which organization they can turn to for effectively exercising their rights, where the data protection authorities must have contact points with these organizations.