Unblocking Blockchain Boundaries
Should we include personal data on a blockchain?
You can, but complying with the obligations in the GDPR is a challenge, especially because as a principle it’s impossible to change or delete information on a blockchain. Therefore we strongly recommend that you incorporate data protection principles in every blockchain (privacy by design) and ensure that default settings keep processing to a minimum (privacy by default). For further security you should store all identifiable personal data off-chain and limit data stored on the blockchain to links or hashes.
How can we control our blockchain solution?
By setting up a clear governance structure. For instance, using a private blockchain that is permissioned (invitation only) instead of permissionless (open to everyone), enables you to assign different rights to different parties and makes it easier to determine who is responsible for complying with the GDPR. Once this is structure is in place, draw it up into a document and enter into the necessary data processing agreements, data sharing protocols and commercial contracts with all blockchain participants.
What else should we keep in mind when introducing a blockchain solution?