The new General Data Protection Regulation (GDPR) data privacy laws in the European Union will take effect on May 25, and it will impact many US and global businesses that do business with European consumers. GDPR is also expected to impact how open and permission-based blockchain technology plays out in data privacy collection.
If your company is planning an ICO in 2018, you definitely need to know about GDPR compliance with the blockchain, how it might impact data privacy, and how it could affect an ICO. Let’s take a look.
Centralized GDPR
When the GDPR was conceived, written and passed over two years ago, it was seen as a highly controlled oversight process that gave power to data controllers to control how, where and to whom data is accessed and transferred. But the emergence of open blockchain technology since then has thrown sand in the face of this control element of data privacy.
GDPR relies on data controllers to oversee data privacy requests, but open blockchains rely on an open infrastructure. If you are running a business focused on blockchain technology, and you receive a data withdrawal request, you are expected to comply with that request. In other words, you will have to change the record in the blockchain. Unfortunately, blockchains are generally considered to be unchangeable.
As noted in The Verge, distributed ledger technology isn’t structured in a way that lets you change just one block of information. Changing one block requires changing the information for all the blocks of information that follow. That’s the key obstacle that blockchain proponents are trying to overcome with GDPR compliance.
Emerging Solutions for ICOs
Experts are looking at a few possible solutions to offset this discrepancy between an open blockchain technology and controlled privacy oversight, in regards to GDPR compliance for data removal.
One of the ideas being discussed involves storing personal data off of the blockchain. Doing so would deter making changes to the rest of the blockchain when instances arise to delete or change private data. But as mentioned earlier, this would defeat the fundamental benefits of distributed ledger technology.
Another option being discussed in blockchain circles is so-called “blacklisting”, which involves destroying the cryptographic key that enables personal data access. Managing this process in a responsible and auditable manner could offer some hope for blockchain companies working to comply with GDPR consumer rights.
The second half of 2018 is shaping up to be highlighted with hundreds of ICOs. Without GDPR compliance in their practices, these ICOs could be hampered by fines ranging from 10 million Euros (or 2% of global revenues from the previous year) to 20 million euros (or 4% of global revenues from the previous year).
No U.S. startup or larger firm would welcome those kinds of disciplinary actions. It’s up to you to heed the warnings, know the correct actions to take, and stay on the right side of compliance.