• Posted Feb. 18, 2020

Study: Building a Blockchain Application that Complies with the EU General Data Protection Regulation

The researchers attempted to find out if the regulations of GDPR conflicted with the features and benefits of blockchain technology. They gathered evidence from workshops, meetings, documents, and interviews. The outcome is that third-party services that provide permissioned pseudonyms are indeed able to avoid storing personal information yet provide the shared ledgers needed for blockchains.

Complying with the EU General Data Protection Regulation (GDPR) poses significant challenges for blockchain projects, including establishing clear responsibilities for compliance, securing lawful bases for processing personal data, and observing rights to rectification and erasure. We describe how Germany’s Federal Office for Migration and Refugees addressed these challenges and created a GDPR-compliant blockchain solution for cross-organizational workflow coordination. Based on the lessons learned, we provide three recommendations for ensuring blockchain solutions are GDPR-compliant.

General take-aways:

• Blockchain technology offers a promising alternative to centralized systems
• Legal barriers can arise, such as those from the General Data Protection Regulation (GDPR) in the European Union
• Those barriers can appear to conflict with the basic properties of blockchain technology
• However, the challenges can be resoluved by creating GDPR-compliant solutions

Three recommendations are offered for managing and designing GDPR-compliant blockchain solutions:

1. Avoid storing personal data on a blockchain
2. A blockchain solution that needs to process personal data should use a private and permissioned pseudonymization approach
3. A blockchain solution that needs to coordinate across organizations should use a private and permissioned pseudonymization approach