By Michael Kallens, Markus Mild and Johan Toll

At Nasdaq, we've been exploring and testing possible uses of blockchain technology since 2013. We firmly believe it has the potential to increase efficiency, reliability and transparency across the financial services industry and other sectors.

Whether it will achieve that potential will in good measure depend on how whether it can be implemented consistent with new privacy and other rights afforded to individuals under the European General Data Protection Regulation (GDPR).

While GDPR and blockchain share a similar fundamental commitment to protecting integrity and accountability in data processing, concerns have been raised about whether specific requirements under GDPR can be squared with how blockchain operates. 

For example, can core GDPR requirements like data minimization, restrictions on international transfers and individual rights to erasure (a.k.a. the "right to be forgotten") be reconciled with blockchain's reliance on immutable, distributed ledgers?

Given the consequences violations of GDPR (e.g. fines up to four percent of annual turnover, potential litigation and reputation damage), the financial services and other industries are looking for assurance that the requirements of GDPR and core operating functions of blockchain are not irreconcilably opposed. 

Initial guidance and reports by France's data protection authority - the "Commission Nationale de l'Informatique et des Libertés" (CNIL) and the EU Blockchain Observatory and Forum (Blockchain Forum) begin to address how blockchain solutions can be compatibly implemented in light of GDPR.

Progress in Recent PublicationsTo date, neither the European Data Protection Board (EDPB) nor the national data protection authorities (other than the CNIL) have issued formal guidance regarding how to implement blockchain consistent with GDPR. 

Recent publications from the CNIL ("Solutions for a Responsible Use of the Blockchain in the Context of Personal Data" ) and the Blockchain Forum ("Blockchain and the GDPR" ) represent first steps toward the concrete answers that innovators and industry will need to be comfortable using blockchain processing of personal data for everyday financial transactions. Importantly, these publications reflect an ongoing commitment by regulators and thought leaders to engage to develop a workable framework for applying blockchain technology to personal data processing.

Read together, these publications and others in this space are starting to map out key items that GDPR-compliant blockchain implementations within the financial services space will need to incorporate. These include:

• Identification of a single entity as the data "controller" with all other participants and solution providers as data "processors. Under GDPR, the controller of personal data has frontline compliance responsibility.  In the blockchain model - especially where several entities jointly leverage a blockchain, it could be argued that multiple parties act as data controllers, raising the potentially complex situation of joint controllership.  To avoid that, the entities should either create a new special purpose entity or contractually identify a single controller.  Other entities using the blockchain and miners validating entries would then be processors under contract to the controller.

• Where possible, avoid storing personal data on the blockchain; if storage is necessary, minimize the personal data and employ strong hashing or encryption measures.  A core use of blockchain is to evidence that a transaction occurred or that a record is valid.  Where transactions or records involve natural persons, they will inevitably involve personal data.  However, such personal data often do not need to be stored on the blockchain; rather, the entry can provide evidence of the record which is itself stored outside of the blockchain.  This approach helps satisfy data minimization and security requirements under GDPR.

• Use private and permission-based blockchains that contractually address GDPR international transfer requirements:  GDPR imposes restrictions on the transfer of data outside the EEA; personal data may only be transferred to jurisdictions that afford adequate protection to the data or to entities subject to binding corporate rules or model contract clauses to protect the data. These requirements are inconsistent with public and permission-less blockchain networks (where data location cannot be restricted).  As a result, solutions should leverage private and permission-based blockchains where each participant agrees to certain international transfer terms for the exchange of information.

The Primary Challenge: Ensuring Individual Data Subject RightsWhile there remain many areas where the details of how to implement a blockchain solution in a way that complies with GDPR still need to be resolved, the greatest challenge relates to how any solution can satisfy all of the data subject rights afforded under GDPR.

Certain individual rights provided by GDPR such as the rights to portability, access and an accounting of personal data processing can be easily addressed by blockchain technology - and, in fact, play to its strengths. 

Other rights like the right to restriction can be built into how the solution is programmed and rights against automated decision making can be addressed by business processes.

However, because blockchain technology is structured with lasting, decentralized records, effectively ensuring the rights to erasure and rectification afforded to individuals under GDPR poses a substantial compliance challenge. 

As stated in the CNIL report, when data is recorded as a commitment, hashed or encrypted, the controller can "approach" these rights by rendering it inaccessible to functionally achieve erasure; for rectification, the controller would then combine the inaccessible record with a replacement, corrected entry in a new block. 

Whether these "in principle" mechanisms legally equate to the fulsome rights provided by GDPR is uncertain, requiring further analysis and ultimately resolution by the EDPB.An Important First Step, but More is Needed As the Blockchain Forum rightly states: "[T]here is no such thing as a GDPR-compliant blockchain technology.  There are only GDPR-compliant use cases and applications.

" The same could be said of any technology that processes personal data - many of the same issues of security, transparency and data subject rights that have been raised in the context of blockchain face other types of existing technology. 

What makes blockchain unique compared to legacy technologies is its newness; while blockchain has enormous upside potential, it will require significant investment and willingness by companies to be first-adopters to realize that. 

Where there remains uncertainty about how to develop blockchain solutions that satisfy GDPR's requirements, even innovative companies may be unwilling to take those steps.The work by the CNIL and Blockchain Forum are important first steps in removing this uncertainty. 

We agree with the Blockchain Forum that an important next step would be to increase the understanding of potential blockchain use cases and the impact that interpretations of certain GDPR requirements could have on those uses.

This understanding could then help drive effective dialogue between the EPDB, national regulators, privacy advocates, industry, technology innovators, and other stakeholders to develop the consensus need a practical comprehensive regulatory approach for blockchain that protects the vital rights and interests contained with the GDPR while enabling the positive benefits that it can deliver.

Michael Kallens is Senior Associate General Counsel, Nasdaq, Markus Mild is Regulatory Strategist, Nasdaq Europe and Johan Toll is Head of Digital Assets, Market Technology, Nasdaq
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.