Will GDPR and blockchain have a common future?
Blockchain is a technology, by definition, unable to forget and resistant to censorship. These characteristics, its versatility, its being suitable for use in many fields, and the Bitcoin explosion have determined its rise in recent years. At the same time, attention has grown in recent years, especially in Europe, towards the protection of personal data.
Blockchain is a technology, by definition, unable to forget and resistant to censorship. These characteristics, its versatility, its being suitable for use in many fields, and the Bitcoin explosion have determined its rise in recent years. At the same time, attention has grown in recent years, especially in Europe, towards the protection of personal data.
The challenge that awaits us in the coming years concerns the need to find a balance between two needs apparently still so far one to each other: supporting innovation (through the use of blockchain) without forcing it within an inflexible regulatory framework (the GDPR).
Why are blockchain and GDPR still so far ? To understand that let’s briefly describe them.
A blockchain is a type of distributed ledger technology (DLT) that consists of growing list of records, called blocks, that are securely linked together using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data The timestamp proves that the transaction data existed when the block was created.
- Blockchain, the Wikipedia definition
The advantages that this technology is able to guarantee, compared to a centralized technology, are:
1. decentralization
2. disintermediation
3. transparency (the register is spread throughout the network)
4. immutability of the recorded data
5. traceability of transfers

Existing blockchains are categorized based on the presence of a third party able to select the participants as:
1. public blockchains, so-called permissionless where access is guaranteed to anyone who has an interest
2. private blockchain, so-called permissioned: they are characterized by the presence of a trusted third-party authority that decides who can access the network
3. hybrid blockchains

The GDPR Regulation EU 2016/679 of the European Paliament and of the Council is the most recent step of the community path of protection of personal data started in 1995 with Directive 95/46 / EC (General Data Protection Regulation), which unified the rules on circulation of personal data in Europe. The GDPR defines 3 different roles in data privacy, which are, according to art.4:
1. Data subject: the individual whom the data refer to;
2. Controller: the natural or legal person, […] which determines the purposes and means of the processing of personal data;
3. Processor: the natural or legal person […]which processes personal data on behalf of the controller;

The model depicted by GDPR is centralized, the controller is the only one accountable for data processing.
Article 5 of the GDPR depicts the principles relating to processing of personal data, imposing that personal data shall be:
• processed lawfully, fairly and in a transparent manner
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate and, where necessary, kept up to date
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• processed in a manner that ensures appropriate security of the personal data

As a matter fact after this first quick analysis GDPR doesn’t seem to be applicable through a blockchain technology given the following divergences:
  • Centralized (controller is accountable)
  • Data must be kept up to date, and erased when not in use
  • Kept secure and minimized
  • Distributed
  • Immutable/unable to forget
  • Transparent
However, it is desirable that the legislator keeps blockchain technology in mind and verifies the compatibility of the future developments of privacy legislation towards it.
As a matter of fact, the blockchain could probably be of help in facing the following challenges:
1) from an ethical point of view, few large companies (mostly social networks) are nowadays concentrating a gigantic amount of data on them, a decentralized model looks to many much more fair.
2) from an operational point of view, small and medium enterprises, with the role of data controllers find many difficulties trying to be compliant with GDPR because of their limited skills and resources in data protection; blockchain could provide some practical solutions for processing personal data in compliance with GDPR.

Let’s see if GDPR and blockchain will continue their journey on parallel tracks or if sooner or later they will meet.