Deloitte’s Global Blockchain Survey last year found that organisations’ concerns about blockchain technology are fading, with more businesses now investing in the technology in areas such as life sciences, government, banking and manufacturing.
However, the use of blockchain technology in mainstream business is still relatively new and unproven for use in areas such as the protection of personal information.
When it comes to compliance, blockchain supports legislation in that it provides consistent history, but it is not fully supportive of all the provisions of new protection of personal information legislation.
As we learned from the early coding days when there were certain logic produced that delivered startling and risky results such as “memory leaks” or “dangling pointers” because programmers had little coding standards, unpredictable or undesired behaviour can result from new applications of relatively unregulated technologies and open-source code. Considering this, should blockchain technology be regulated more, or is it too late?
As I have said before, blockchain technology may support some areas of data management very well, but it's not a silver bullet for compliance. Because blockchain technology is immutable, it can support transparency and audit, but this same immutability presents a challenge when companies attempt to align with legislative clauses on how and when data should be deleted.
The potential clash between the properties of blockchain and provision for the right to be forgotten in the European Union General Data Protection Regulation has sparked some debate in recent years.
Similarly, the Protection of Personal Information Act (POPIA) provides for the deletion of personal information that should no longer be retained. POPIA states that “a data subject may request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain”.
With the deadline for POPIA compliance only months away, this right to be forgotten should not be overlooked in compliance programmes.
With blockchain working in distributed nodes, secured by encryption and keys, personal information may be protected, but can these blocks be switched off? Probably not, unless you destroy the hardware.
The use of blockchain technology in mainstream business is still relatively new and unproven for use in areas such as the protection of personal information.
In aligning with privacy legislation, organisations must also consider who may access the data and who the privacy officer or accountable person is: in blockchains, entities other than the collecting organisation might control the data, with no one person accountable for it.
Ahead of the POPIA compliance deadline, organisations should be considering how they will secure, control access to and eventually delete personal information. They will need to revisit how personal data is processed and stored, and whether blockchain is indeed the technology best suited for this purpose.
Should blockchain be found fit for purpose, a need may arise to flag personal information protected by legislation, as well as any conditions attached to it to ensure it is handled correctly. Organisations may need to take a hybrid approach to using both blockchain and other platforms and technologies to remain compliant; they might look to the creation of a hybrid ‘editable’ blockchain; or industries may find it necessary to collaborate on private blockchains dedicated for the handling of customers’ personal information.
It may become necessary to detail exactly what constitutes forgotten (or deleted), and whether data locked in a blockchain may be seen as not available, and therefore compliant. Methods and measures should also be discussed to overcome the potential challenges of upholding a right to be forgotten, against any future need to use the data for audits and forensic investigations.
Share