Are financial institutions ready for blockchain and GDPR?

23 Nov 2017

Image: vandame/Shutterstock

A recent report issued by the Blockchain Association of Ireland has found there are many more questions than answers when it comes to GDPR.

While the year of 2017 might be winding down, anyone in any way connected with digital data is working overtime to make sure their systems are ready for the era-defining legislation that is the EU’s General Data Protection Regulation (GDPR).

Set to come into force on 25 May 2018, GDPR aims to give all of us far greater control of how and where our data is used. It will overhaul everything from our right to be forgotten online, to the onset of autonomous vehicles.

But one of the major points of contention has been on the topic of blockchain, where a transparent and fixed record of transactions would seemingly contradict the very nature of GDPR.

While workarounds and proposals have been made that would help companies working in blockchain find ways of complying without completely altering the fabric of their business, recent research has found that many, many questions remain unanswered.

The Blockchain Association of Ireland (BAI) has published a report looking at the intersection between emerging blockchain technologies and compliance framework and has found that many companies are still in the dark.

Written by Tanya Moeller and Simon Schwerin, the report highlights the challenge of discussing a topic that is rapidly changing.

Still waiting for an answer

Speaking with, the pair said the fact that there is so little research material on blockchain technology is fascinating in itself, given its major importance to data protection.

“We had hoped that we would find concrete assertions,” the pair said, “but it seemed, at the time of writing the summary report, that the call made by the European Data Protection Supervisor for a privacy-friendly blockchain technology had not yet been answered.

“[Maybe] we started off with too much wishful thinking. As usual, technological innovations challenge the manner in which laws are applied.”

It is clear that with not much source material to go on and the many implications of the technology under GDPR, the report put forward many questions that remain unsolved.

Examples include the ongoing issue of smart contracts making decisions on your behalf when GDPR asks that citizens be informed of all decisions, and how the right to be forgotten can be enforced.

For both Moeller and Schwerin, their advice to companies is rather simple: be informed and stay on top of the game.

“As the economies which are regulated by the GDPR are such powerhouses globally, it is likely that most blockchain technology worldwide will be required to adjust somehow.

“As such, I would simply encourage innovators in this sphere to consider all privacy aspects from the design stage on, otherwise key resources may be spent on systems which will later be found to be non-compliant.

“Global experience with blockchain networks has shown that a delayed implementation of governance policies can become a challenge as a roll-back of immutable data structures is almost impossible.”

Going off-chain?

However, to say that major corporations – particularly financial institutions – aren’t ready for what’s coming with blockchain wouldn’t be accurate as we have already seen some of the biggest firms offer (somewhat controversial) solutions to blockchain.

Most notably, Accenture revealed it had patented blockchain technology that would take transactions ‘off-chain’ in order to amend errors.

But, based on what we consider to be the definition of blockchain, an editable chain would appear contradictory and has drawn criticism from some in the sector.

“An editable blockchain technology does not inherently imply it is GDPR-compliant but we stop at commenting on specific products and services,” Moeller and Schwerin said.

“Having said that, how organisations manage to create privacy-friendly blockchain technology will be fascinating to observe. It would be interesting to see the results of a thorough privacy impact assessment on this type of technology.”

So, how much reaction has this report drawn from those right in the thick of this issue?

Generally, the authors said, reaction has been positive. However, those awaiting the BAI’s findings – and possible solutions – had to settle for the realities and scale of the issue.

“A lot of people had hoped that the BAI would have answers, which at the time of writing we did not have,” they said.

“In the end, this in itself was a result we could live with. We settled on the fact that our work, through raising key questions, would bring the GDPR principle of ‘privacy by design’ more to the forefront of the blockchain technology sector. Our discussions were animated, to say the least, and we look forward to more of those.”

Colm Gorey was a senior journalist with Silicon Republic