Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

How firms can navigate the Blockchain, GDPR conundrum

By Phil Beckett, MD Disputes and Investigations, Alvarez and Marsal

Blockchain and GDPR are in vogue. No one can escape their mention.

Since the GDPR’s implementation in May, we’ve heard story after story about firms not being prepared or worse, ignorant to the changes in the law.

Blockchain, on the other hand is a more positive story.

It’s being hailed as a game-changer in financial services and is becoming a truly global force for good, helping to reduce the likelihood of business fraud.

However, there have been mumblings that maybe these two juggernauts are on a collision course, as on the face of it, they could be incompatible.

But why? Because Blockchain’s unique selling points seem to directly contradict a key facet of the GDPR – the right to be forgotten.

Under the GDPR, individuals have the right to request that their data is permanently deleted from a company’s records within a timely period (30 days). For most firms, this is a reasonably simple request. However, for Blockchain, this request is anything but simple. Firstly, Blockchain is designed to never forget, which theoretically is in direct violation of a deletion request. Its decentralised system is the stumbling block, as editing the chain breaks it, and therefore undoes the good of the ledger. Add to the issue that Blockchain saves data across multiple nodes (and therefore servers), and you can see that truly deleting information is a considerable issue when operating a publically operated Blockchain.

So what’s the remedy?

One way to get around this issue would be for Blockchain to modify how it operates, which would mean implementing a centralised back-end system. This would allow data to be anonymised without breaking any chains, and seemingly navigate the glaring problem. But, it would mean a significant overhaul of how the platform is implemented and in my view, legally it’s not necessary.

I believe the crux of the issue revolves around how firms use Blockchain. Firstly, the argument can’t be pinned just on Blockchain’s ‘faults’ – we need to look at the wider legal issue. Under the GDPR, increased emphasis has been put on data controllers (i.e. firms) and the requirement to process data legally and fairly. In this example, Blockchain is not the controller or processor, it’s the application. So, the argument really needs to focus on who controls and processes the data – and that is companies using the technology. Businesses utilising private Blockchains control its implementation and use, so data responsibilities ultimately lie with them.

Therefore, any data deletion requests need to be judged on a case-by-case basis, to address the nitty-gritty of the GDPR – is the business legally compelled to retain the data? Tax records would be a good example of a yes, as HMRC demands companies keep this information for seven years. For more everyday uses, such as project management, then the answer is more likely no, as the data soon becomes obsolete, meaning it should be deleted.

The real focus needs to be on how firms are using Blockchain. Whilst it’s evident that the GDPR and Blockchain don’t work seamlessly together, legally they’re not polar opposites. So, my advice to firms? Know the GDPR and understand how it impacts applications built on technologies such as Blockchain at the outset. Understand what data the GDPR lets you keep and not, and work within the parameters set out by the law to avoid compliance issues. We live in such a fast-paced society that changes are afoot, but data is something firms can no longer afford to play fast and hard with, as put simply it’s the next oil. As Voltaire said, with great power comes great responsibility, and the GDPR is there to police just that.