Is Blockchain GDPR Compliant? | Analyst Notes | Deep Analysis

Is Blockchain GDPR Compliant?

One of the most common objections to using blockchain in the enterprise is that it is not GDPR (or HIPAA etc.) compliant. Except this is not true. What has usually happened is that somebody within an enterprise has read an article somewhere by a legal ‘expert’ that has stated that blockchain is not GDPR compliant.

I am not a legal expert, but I know for sure that no information management application is compliant with regulations. The data and files it processes and the people responsible for the processing are either compliant or not compliant with the law, not the technology.

This confusion regarding blockchain appears to come from a misunderstanding of how blockchain is used, and in fairness, that misunderstanding is understandable. It hinges on the immutability of a blockchain, the concept that a record can never be changed under any circumstances. For in a blockchain, records are indeed immutable, unchangeable. So if, for example, you were to store PII (Personally Identifiable Information) on a blockchain that you could not change (it’s now immutable), then that would not be compliant with GDPR. However, in Information Management practice, that is not what happens at all. The record, file, data, or document is itself typically not stored on the blockchain. Rather it will live wherever it lives now, for example, in SharePoint or Box. What is stored on the blockchain is a cryptographic hash that points to the file, nothing else. You don’t, nor should you store PII information on a blockchain. And as I just stated, nobody, to the best of our knowledge, does so. That being said, you can store files on a blockchain, our recent report on DataGumbo details a vendor that does just that, compliantly. But as a general rule of thumb in the Information Management world files are not stored on the blockchain, and PII data should never be. The exact same thing can be said of storing regulated PII data on WORM (write once read many) storage or any other form of immutable storage. 

Compliant enterprise software is an old canard that comes up regularly. In the early ’00s, a slew of software firms were selling Sarbanes-Oxley’ compliant’ systems. Except, of course, they were not; they were selling software systems that you could potentially use compliantly in a SOX regulated environment. Generally speaking, any software or storage system is in effect, agnostic to regulations. You can use them compliantly, or in a manner that is non-compliant.

Blockchain is still an emerging technology in the world of Information Management, but it has huge potential. At heart, its value proposition is simple and twofold; blockchain provides:

Distributed Trust & Immutability

That doesn’t sound much, but it provides a pivotal moment for Information Management. The use of blockchain in information management potentially means eliminating swathes of unnecessary business documents; it means much faster transactions, lower costs, and ironically more, not less compliance to regulatory requirements, as any violation will immutably be recorded!

Leave a Comment