Blockchain and Personal Data Protection: The PDPC Guide — Privacy Ninja

Blockchain and Personal Data Protection: The PDPC Guide

What is a blockchain?

Permissionless vs. Permissioned Networks

  • Who can join and participate in the network; and
  • What those entities can do on the network (e.g., what data they can write, use or disclose on that network).

Organisation’s roles in a blockchain network

Personal data protection risks and considerations that might arise with blockchains

Accountability Issues

Transfer Limitation Obligation

Consent and Purpose Limitation

Immutability Issues

Considerations and recommendations for personal data on permissionless blockchain networks

  • Every node in the network has a copy of any personal information that is put on the chain. This means that anyone in the public who is part of the permissionless network can access and use the data.
  • Since there is no operator in charge of a permissionless network, it is not possible to claim data ownership or make participants protect personal information written on-chain.
  • You also can’t control or even know where the nodes of a permissionless network are located. This makes it hard for any responsible organisation to figure out how well personal data written on-chain is protected.

Accountability Issues on Permissionless Networks

  • Conduct re-identification attacks in which anonymized datasets are analysed to determine the identity of the associated data subjects; or
  • Decrypt encrypted data uploaded to the blockchain using brute-force attacks or emerging methods such as quantum decryption.

Immutability Issues on Permissionless Networks

Considerations and recommendations for personal data on permissioned blockchain network

Accountability issues on permissioned networks

  • Admitting participants only from jurisdictions with comparable standards of protection;
  • Ensuring binding contractual obligations for comparable protection through consortium agreements between the operator and participants; or
  • Requiring participants to obtain specified certification such as the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) or Privacy Recognition for Processors (PRP).
  • Inserting new entries with encrypted, revised data; and
  • Requiring the secure disposal of decryption keys for obsolete data by other participants, rendering the data unreadable.

Immutability issues on permissioned networks

Using off-chain approaches to further mitigate personal data protection risks on permissionless or permissioned networks



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Privacy Ninja

Privacy Ninja

Privacy Ninja is Singapore’s leading cybersecurity & data protection firm offering the most affordable services, like outsourced Data Protection Service & VAPT.