Blockchains: can they help with GDPR compliance?

On audit and transparency yes, but right of erasure is not a good fit

Blockchains have some unique features which offer the promise for use cases outside of their roots in supporting an alternative digital currency. Among these features are immutability - information can be added and not deleted or changed; decentralisation - the blockchain is replicated across multiple nodes; consensus - the nodes agree on a single version of the truth; and security enabled by the proof of work mechanism.

One potential use case is to replace systems that have a single point of failure such as certificate authorities and the internet's domain name system (DNS). Speaking at the Computing Enterprise Security and Risk Management Summit today, Kevin Hughes, forensic technology analyst at consultancy Alvarez and Marsal (pictured), explained how blockchain technology could help.

"The major loophole of the current DNS system is its overreliance on caching, which makes it possible to target DDoS attacks against DNS servers and manipulate DNS registries. The blockchain approach to storing DNS entries could improve security by removing the single central target that can be attacked to compromise the entire system," he said.

Inevitably, with the imminent arrival of the EU GDPR, blockchains are being examined for their compliance potential too.

"The GDPR is about transparency and auditability," said managing director Phil Beckett.

"The transparency of information captured within a blockchain means that all necessary data can be recorded in shared ledgers and made available in near real time," he went on. "Meanwhile it can allow the auditing of every instance of changes or access to data by recording it permanently on the blockchain."

However, there are a number of ways in which the attributes of blockchain do not align with the strictures of the GDPR. For example, the regulation brings in the right of erasure and the right for individuals to correct information held on them which might be inaccurate. Here the immutability of data held on a blockchain is a burden rather than a benefit. There are ways around this, including holding the personal data in a separate database with just a hash of the data residing in the blockchain, but this adds complexity.

Another hurdle is the requirement that user profiles may not be built up from disparate data stores. The lack of complete anonymity in the blockchain places a limit on its use cases, he said.

"While the data being recorded on the blockchain does not identify the individual, a system can be put in place whereby, for example, dietary preferences, hobby interests, purchases and so on can be recorded and linked via a pseudonymous address. However, postal addresses, phone numbers, and even IP addresses cannot be recorded using this method as they can be used to track down the person behind the data."

Again, there are ways around this, such as giving the individual responsibility for the private key that encrypts their data, but this brings problems of its own.

The GDPR also gives individuals the right to contest and revoke automated decisions made about them, including those by smart contracts running on a blockchain. The immutability of blockchain data presents difficulties here too, but these may be overcome in part by ensuring that users opt into their use. For example, while the data cannot be changed, a decision a system of credits could be implemented by a distributed app (dApp) running on the blockchain which could issue credits as a way of counteracting the 'debit' of an unwanted decision or contract.

Overall, while blockchains may have their uses in compliance and cybersecurity they are not a silver bullet, and other solutions may be better in many cases, Beckett concluded.

"Is blockchain future of cyber security and GDPR? No. It's a tool that can be used but it won't solve all the problems," he said.