Blockchain and associated distributed ledger technologies (DLTs) are increasing in prominence and use across a number of sectors – including healthcare, logistics, real estate, banking and insurance. However, it is probably owing to more trendy applications such as crypto assets, including non-fungible tokens (NFTs) that they are gaining more and more in terms of popularity and acceptance.

Nonetheless, despite their popularity and central role in emerging technologies, concerns remain around whether the use of Blockchain technology involving personal data can be achieved in compliance with data protection law – in particular the EU and UK GDPR (together, “the GDPR”)and Data Protection Act 2018.

Some of the core features of a Blockchain, particularly (a) its immutable nature (meaning it cannot be changed); (b)its reliance on a decentralised framework (making it difficult to define who the controllers and processors are); and (c) that the data is shared across a peer-to-peer network, mean that by nature, it conflicts with some key requirements of the GDPR. In particular, the principles of data minimisation, purpose compatibility, accountability and data retention need to be looked at carefully, as well as upholding data subjects’ rights.

Of the two main types of Blockchain (private/permissioned versus public/permissionless, although there are hybrid varieties), it is the public/permissionless variety which presents the most concerns in relation to its ability to facilitate data protection compliance. Permissionless Blockchains offer little in the way of suitable controls, accountability, permissions or protocols on data sharing, with no clear identifiable data controller to carry the responsibility for managing compliance centrally.

Furthermore, one of the key features of any Blockchain is its immutable nature – in other words, once data is recorded on the Blockchain, it cannot be altered or deleted. Whilst this offers security and trust, insofar as the integrity of transactions is concerned, it obviously conflicts with the principles of data retention and upholding of data subject rights under the GDPR (particularly the rights of rectification and deletion under Articles 16 and 17 respectively).

In response to these challenges, data protection regulators are increasingly looking at how to square the onerous and restrictive obligations under the GDPR against this increasingly ubiquitous and all-encompassing technology. Whilst UK organisations await substantive guidance from the Information Commissioner’s Office (ICO), it has been helpful to read the views of the French data protection authority, the CNIL, who have cautiously issued recommendations around how Blockchain may be used in a GDPR-compliant fashion.

Furthermore, an EU research paper by the European Parliamentary Research Service has encouragingly stated that “…this study finds that it cannot be concluded in a generalised fashion that blockchains are either all compatible or incompatible with European data protection law. Rather, each use of the technology must be examined on its own merits to reach such a conclusion.” Therefore, whilst caution is advised, it is useful to know that the regulators do not rule out the possibility that a Blockchain is incapable of achieving GDPR compliance.

Fundamentally, there is an acceptance that whilst data can never truly be deleted, there are steps which can be taken to at least move some way towards a measure which approaches deletion / rectification. Some examples include adding a new block with correct data to the chain (which achieves rectification, although the incorrect old data remains on the chain) and creating unique hashes for each piece of data by using an additional secret key – this does not actually result in data deletion, but is more akin to anonymising the data so that it is no longer held in identifiable form. Other proposed solutions include only using private, permissioned blockchains to enable access controls, identifying a central data controller, as well as placing more compliance obligations on users to agree to certain terms of use before being granted access e.g. agreeing not to include additional personal data on the chain.

As a light at the end of the tunnel, there is even suggestion that, where used responsibly (particularly in the context of a private, permissioned Blockchain), the technology could ultimately help facilitate compliance with the GDPR. In particular, it has the potential to encourage transparency, offer a solid basis for a secure data sharing framework, assist with data portability and promote meeting other data subject rights.

Either way, the uncomfortable but fascinating interplay between the evolving technology and the legislative landscape will remain for the foreseeable future and it will be really interesting to see how the regulators respond to these concepts to provide guidance to organisations wanting to embrace this technology in a responsible manner.