Blockchain is a technology that allows information to be recorded while protecting data against tampering, thereby maintaining integrity. While blockchain records information like a database, it differs from a traditional database in that it stores data in blocks that are linked as chains and are theoretically immutable.
Capabilities of Blockchain That Enable or Disable Data Protection
The features of a blockchain, including transparency and immutability, enhance the security of the data that is stored. Further, the integrity of data is maintained through structural and semantic consistency as data is distributed across multiple participating nodes within the network.
On the other side, the same features can cause confusion in implementing a privacy control environment. Some of the areas where clarity may be required is while data is shared between borders, purposing data for a legitimate basis like validation of information, updating data, and deleting it whenever requested by natural people on the blockchain.
Data Protection Requirements and Using Them as Guidance to Blockchain Implementation
Some data protection laws across the European Union, India, and other countries may not have provided guidance on blockchain yet, as it is associated with a single technology choice for data storage. However, the rules concerning the storage, integrity, and cross-border transfer of personal data can still be applied to blockchain use cases.
In India, the Reserve Bank of India released sector-specific data protection requirements for payment services: “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data must include complete details of the end-to-end transaction, information collected, carried and processed as part of the payment message or instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.” A question that can be answered in the above context: Can blockchain be safely used in use cases like trade finance, where localization of data is a challenge?
Similarly, in the European Union, the General Data Protection Regulation (GDPR) requires a basis for the processing of personal data and also provides people with the right to be forgotten by the firm along with rights to rectification and restricting processing. This may create confusion with the basic capabilities of non-fungibility of data.
However, the definition of personal data differs across regions and countries. In other jurisdictions like the U.S., data that can relate to a person by the use of additional information is considered personal data. While using blockchains, a safe way to navigate data protection is to have data sharing contracts drafted between controllers and processors while also coming up with an apt controller-processor model.
Translating General Protection Requirements into Security Controls on Blockchain
The primary choice of controls associated with securing personal data can be the same as regular databases, including encryption, hashing, and anonymization.
Pseudonymization of personal data is one of the many choices that an organization can take to reduce privacy risks. This technique reduces the risk of personal data and identifiers from deriving personal characteristics of the people, as real identifiers are replaced with pseudonyms like tokens. Moreover, the isolation of the authority to reverse pseudonyms into real identifiers can easily be restricted to a particular staff.
A good practice is not to store contextual data or metadata along with pseudonyms or hashes on the blockchain, which might increase the possibility of deriving the identity of the physical person.
Zero-knowledge proofs can be applied to further obscure the personal data of participants of a transaction on a blockchain. The controller can ensure that only non-personal data can be derived from an entry on a blockchain. In addition, encryption may be used as a security control, making it impossible to derive personal data from a blockchain after the key has been deleted.
Moreover, isolating personal data can be a preferred approach while not storing personal data on the blockchain and having other nodes only validate the transactions. In real-time transactions, at least one or two identifiers still exist in transactions but can be modeled using a pseudonym instead of real personal data, thus enhancing privacy on the blockchain.