When it comes to blockchain technology, the very features that make blockchain so attractive to many enterprises – such as the ability to create an immutable public ledger of transactions – are also the very features that could lead to privacy issue headaches for those enterprises. In fact, tech research firm Gartner is now calling “blockchain privacy poisoning” one of the biggest risks facing organizations over the next few years. By 2022, says Gartner, three-fourths of all public blockchains will suffer some form of privacy poisoning.
What is blockchain privacy poisoning?
The term “blockchain privacy poisoning” refers to the insertion of personal data into a public blockchain, thereby making that blockchain non-compliant under the European General Data Protection Regulation (GDPR). According to the GDPR, all individuals have “the right to be forgotten,” so you can immediately see why blockchain technology represents such a problem: by their very nature, blockchains are meant to be completely unchangeable and immutable. So this naturally creates a paradox for organizations: you have personal data “on chain” that cannot be altered, and you simultaneously have the right of individuals to change, alter or delete their data at any time. Personal information cannot be deleted without compromising the chain.
Until now, blockchain privacy poisoning had not been a major concern because most data being stored on a blockchain was anonymous transaction data. For example, Bitcoin uses a public blockchain to store information about all transactions. But no personal data of any kind is stored on the blockchain. This has several advantages – it means that the specific identity of any individual holding Bitcoin is completely anonymous, and it also means that nobody can ever take away your Bitcoin by altering the Bitcoin blockchain. As of now, nobody has ever found a way to alter a blockchain by changing or deleting older “blocks” in the chain. Theoretically, that’s what keeps your Bitcoin safe.
However, at the same time, organizations are starting to store more and more information on their public blockchains, and that’s what is leading to the concern that personal data might end up on the blockchain at some point. This personal data might include information about chronically ill patients, credit card numbers, or addresses of individuals. Especially for financial services organizations, there is a fine line between storing anonymized transaction data and storing personal financial information on the blockchain.
Consent management and the blockchain
According to Gartner, one risk factor involved in blockchain privacy poisoning is that organizations are using blockchain now for proof-of-consent implementations. By 2023, over 25 percent of GDPR-driven, proof-of-consent implementations will involve blockchain technology. That’s a steep increase from the figure of less than 2 percent today.
Thus, the application of blockchain technology to consent management is, in many ways, a double-edged sword. On one hand, it could provide tracking and auditing required to comply with data protection and privacy legislation. On the other hand, it makes it impossible to change any data that has been entered onto the blockchain.
Right now, blockchain and consent management is still in the early stage of experimentation, but it’s clear that concerns over blockchain privacy poisoning could radically change current thinking about the best way to implement blockchain projects without running the risk of becoming noncompliant with privacy laws and general data protection regulations.
Blockchain privacy poisoning in the context of other privacy issues
For any organization thinking about implementing blockchain systems, there definitely needs to be coordination between the tech development team and the privacy team. That’s because there are plenty of other privacy risks that are linked to the way that organizations structurally store, record, process and change their data. In its report featuring blockchain privacy poisoning, for example, Gartner also delved into other types of related privacy risks. By 2020, the largest area of privacy risk will involve the backup and archiving of personal data. According to Gartner, this privacy risk will impact 70 percent of all organizations, and could lead to a steep increase in online costs for those organizations.
A large financial services organization, for example, might decide to start storing transaction data on the blockchain. By itself, transaction data stored on the blockchain would not represent a privacy risk under the GDPR. In the event of a data breach by an outside hacker, the fact that this data is stored on the blockchain would actually provide a valuable backup of the data. However, this could run the risk of linking personal information to the transactions (such as would be the case with bank accounts or names of account holders). In that case, the public blockchain would be poisoned.
Operating blockchain systems without managing privacy risk, then, is no longer possible in the post-GDPR era. Blockchains poisoned with personal data are going to be a major topic between now and 2022, so organizations are best off to start considering the implications now. Public blockchains will suffer if this issue cannot be worked out without compromising chain integrity.
Who should be accountable for blockchain privacy poisoning?
The topic of blockchain privacy poisoning is so new that even privacy experts are not exactly sure where it’s headed. After all, the notion of a blockchain poisoned with personal information refers specifically to “public” blockchains. However, there are also “private” blockchains, and it is uncertain if the GDPR would apply here. For example, if a company decides to put its entire supply chain on the blockchain, it is likely (for competitive reasons) that it would create a private blockchain in which you would need permission to add blocks to the chain. These private blockchains would likely include organizational data, business data, and commercial data – but not personal data. And, even if someone negligently inserted personal data that renders the blockchain “poisoned” – would it really matter since none of that data would be accessible to the public?
So far, there have been no documented cases of blockchain privacy poisoning, so any new case that arises will definitely set a precedent. While there is currently quite a bit of uncertainty over what happens when an implemented blockchain will suffer privacy poisoning, one thing is certain: new privacy regulations are dramatically impacting the strategy and approach for storing and processing personal data.