Undoubtedly, the arrival of Blockchain is sowing confusion in many areas of the business world around the world, including in Spain. One of the most controversial and fastest spreading claims is that the Blockchain technology contradicts the GDPR. Nothing is further from reality.
Some Blockchain detractors argue that technology does not comply with aspects such as the right to forget, portability, modification and right of information . One of the characteristics of the Blockchain is immutability. Therefore, it is stated that the information remains in the network forever, breaching the fundamental right of any user to the deletion and rectification of their personal data. The limited conservation of the data also raises controversies: when a user gives us consent to use their data, they give it to us for a limited period of time. Again, the same logic is followed, Blockchain is immutable, so personal data remains forever. The third aspect refers to the responsibility of the treatment: the GDPR obliges companies to designate who has access to data. In this sense, it is affirmed that, since the information is decentralized, a person responsible for the treatment cannot be designated. Others go further and ensure that the information is visible to any network user.
All these statements obviate a fundamental aspect: The information is NOT stored in Blockchain How? What? What is not saved? IT IS NOT SAVED
Next, using a very simple example, we explain how it works and how in Nodalblock, we use Blockchain precisely to facilitate compliance with the new regulations. The reality is that when a user uses our platform to certify a set of data (an e-mail, contract, document, audio, etc.), a unique code is generated that only the user can relate to the original information. This code does not include any personal data, nor can it be reconstructed in legible data, so that if a client exercises his right to be forgotten, simply erasing the actual information from their equipment and servers would suffice.
But, if the information is not stored in Blockchain, what is it used for? The person in charge of the processing or owner of the information can relate real data to the alphanumeric code and, in addition, each time he “uploads” the same set of data -and as long as not even a comma is altered- he will get the same code, which in practice means being able to demonstrate that certain information (an invoice, e-mail, contract or medical history) remains unchanged from a specific moment, which is very useful, among other things, in complying with the GDPR.
Let’s take a look at a specific example. Juan Pérez subscribes to my blog. As I want to comply with the GDPR and protect Juan Pérez’s rights, I need to be able to demonstrate the time I obtained his data, that I have not edited or altered it and whose information I will keep correctly. In Nodalblock’s client area, I entered with my Digital ID and I certify the registration sheet with Juan Pérez’s data. In doing so, I get the Nodalblock certificate and this code Aa4568?iu8900190klOmPQ*9912T, which is the ONLY thing that will be stored in Blockchain, and which ONLY I can relate to the content of Juan Pérez’s data. Optionally, I can save the information in Nodalblock that, as a trusted third party, guarantees me its preservation, encryption and access, or save it on my computer or server.
However, Juan Pérez can, at any time, exercise his right to cancel his data: simply delete the file from my server(s) where the information is stored. If that happened, in the Blockchain network there would only be one code without any real content to relate, a simple succession of characters without any use. Of course, I can also modify the information, certifying it again. In that case, I will not get the same code, but I will continue to have proof that, when Juan Pérez asked me to alter his information, I did it, I certified it, I encrypted it and I did not touch it again. And all that information is only available to the company in charge of processing the data. The computers that make up the Blockchain network could only see the alphanumeric code, but never relate or reconstruct readable data.
In summary, the alphanumeric codes are NOT personal data,as recognized by the GDPR, which is why it exempts companies that have their encrypted information from the obligation to communicate a security breach.
In short, Nodalblock, Blockchain and GDPR are concepts that intermingle perfectly and are great friends.