For example, one of the biggest concerns of GDPR’s impact on blockchain, is that the immutability of recorded transactions violates GDPR’s “right to be forgotten.” Article 17(1) of GDPR clearly provides that a data subject has the “right to be forgotten” by demanding the erasure of his/her personal data upon the withdrawal of consent, or upon his/her objections to the processing. However, Article 17(1)(b) and (3) recognizes that the data subject’ “right to be forgotten” can be overridden by the controller’s legal or legitimate grounds to process the personal data, or for compliance with a legal obligation, respectively. In the context of blockchain, it is easy to imagine a scenario where an individual’s right to be forgotten is overridden by the legitimate interest of the owners/operators of blockchain to comply with legal obligations.
Take for instance, in the financial context, financial institutions have to comply with what is commonly known as the “know-your-customer” rule and must keep records of such transactions, including the personal data of the parties involved in the transaction. In the context of global logistics, personal data contained in the shipping documents of international freight must be maintained and stored for legal compliance reasons.
From a technological standpoint, the fact that blockchain is still in its infancy stage also ensures that GDPR will not hinder the adoption of blockchain throughout industries. While popular cryptocurrencies, such as Bitcoin, use public blockchains, businesses and industries are racing to develop private or permissioned blockchains. The key difference between a public and private blockchain is that in a public blockchain, there is no central authority and anyone can view the information contained in the ledgers; whereas, in a private blockchain, a central authority oversees who has access and how the data is distributed/stored. Creation or adoption of private blockchains will allow companies to account for, and ensure compliance with, GDPR.