There has been much activity in recent years around the use of blockchain to provide more integrity and privacy to transactions, but there are some privacy issues organizations need to know about.
In a session at the RSA Conference 2022, Jim Amsler, director governance, risk and compliance, at BDO and Greg Schu, partner, national compliance lead, at BDO Digital, outlined the opportunities and the challenges of blockchain from a privacy perspective.
Schu explained that one of the goals of blockchain is to try to improve security for transaction information and the reliability of transactions. A distributed ledger is part of blockchain approaches, which basically means that all the data doesn’t sit in a single location; rather, it is distributed in an approach that helps to provide more resiliency. The concept of a ‘smart contract’ is increasingly part of blockchain technologies today as well, providing a policy language for how operations should occur. Finally, with blockchain, there is the concept of an immutable ledger, which is a log of everything that has happened that cannot be changed or altered.
Privacy and Data Protection on the Blockchain
There are a few problems with privacy and blockchain. Amsler explained that public blockchains are visible to everybody, which can be an issue for personal data protection.
On the blockchain, there are fundamentally two kinds of personal data, according to Amsler. The first is the public key, which serves as an identifier for the individual or entity behind a transaction. The other kind of personal data is content within the data packet itself that might contain details about a specific transaction.
Blockchain technology could be at odds with multiple privacy regulations, including the EU’s General Data Protection Regulation (GDPR). Amsler noted that the GDPR includes provisions for the right to be forgotten and the right to erasure of personal data. Given the distributed and immutable nature of blockchain, it’s not a trivial matter to delete data or erase an entire user profile.
Amsler suggests that organizations conduct privacy impact assessments before using blockchain-based technologies to fully understand the risks and implications.
“The paradox is that we have ourselves a technology with a paradigm of data processing that is fundamentally at odds with some of the privacy regulations,” Amsler said. There’s not a lot of regulatory guidance in terms of processing private data on the blockchain.”