By Harika Narumanchi and Nitesh Emmadi

Blockchain may be only 10 years old but it’s already proving to be key in helping businesses transform in the digital age.

It is built on multiple distributed permanent records that can never be erased.

Using a large number of computers, each holding encrypted records, blockchain removes the need for intermediaries. Not only does that make processes and transactions much faster, but it dramatically reduces costs too. Each computer in a blockchain contains a permanent record, making transactions traceable and transparent.

The permanence of these records may appear to create a conflict with the EU’s General Data Protection Regulations (GDPR).

However, there are ways of avoiding any problems in this area, by keeping records of transactions while also deleting associated personal data.

Credit: Blockgeeks

Monitoring financial deals

Under the right to be forgotten, people can request any personal data held about them by a third party is deleted, if there is no compelling reason to continue to hold that data.

GDPR says a person can request their data be deleted if they withdraw their consent or if it is no longer needed for the purpose for which it was originally collected.

A crucial exception is where personal data is held by an organization to fulfill a legal obligation such as being able to identify a person involved in a financial transaction.

In centralized systems, erasing data is straightforward. But in a blockchain, where data about an individual person may be distributed across hundreds of devices, a different approach is needed.

The key to deletion

The permanence and traceability of data is fundamental to blockchains. So can encryption help users comply with the regulation? The answer may lie in what’s known as the pseudonyms, which are for example derived from the public key, used to represent individuals by hiding their original identities.

Pseudonyms in general cannot be linked to the original identities. Algorithms used to generate these pseudonyms make it very hard for them to be reverse engineered to identify the person to whom they refer.

One way of ensuring compliance, is to permanently record a transaction while removing the personal data associated with it using features such as offchain storage.

Proper use of encryption and key management can make it easier to delete data quickly and easily. In theory, if a properly reviewed and agreed system is in place, then erasing selected data can be guaranteed by securely deleting the keys.

Another option is to use tools such as Chameleon Hash, a data mapping function that replaces real information with fictitious data to remove an individual’s personal details from the system. This upholds the right to be forgotten while preserving the integrity of the blockchain.

Much like how a chameleon camouflages itself in the wild, Chameleon Hash hides in plain sight by replacing real data with fictitious data in the blockchain. (Credit: Shutterstock)

Looking to the future

Companies may also find themselves facing conflicting responsibilities when it comes to the needs of an auditor. Once again, the answer may be to archive transaction information while removing data about an individual.

In some situations, companies should refuse to comply with requests to delete data. Don’t forget that there is no right to be forgotten when the data held about a person is required to be retained by law.

This is particularly true in the case of anti-money laundering and fraud legislation, which requires organizations to be able to identify the parties to some types of transaction.

It all points to the need for companies to actively monitor GDPR compliance across all participants in the blockchain.

Blockchain is still evolving and there are, as yet, no standard security measures. And a move towards standardization is likely to accelerate the adoption of the technology.

It is by actively embracing the data protection laws, that we can build a stable and secure system for the long term.

Whatever the future holds, blockchain and data protection can exist side by side – in fact, all the evidence points to them both being of vital importance to businesses for years to come.

The authors are researchers at TCS Cybersecurity and Privacy Research and Innovation, India