GDPR Controllers and Processors: A Deep Dive into Data Subject Rights and Security

For a brief introduction to GDPR and Blockchain, please click here.

The purpose of updating the GDPR was two-fold. It was intended to address changes in electronic data and create regulatory requirements on its privacy and secondly to give that control back to individuals. It worked well and strengthened the individual’s rights against those who processed their data. GDPRs’ effect on the chosen format you picked to register on a blockchain can also affect the exercise of individual rights.

Data Subject Rights

Some of these rights are entirely compatible concerning blockchain. One example is the right to be informed, which can quickly be complied with by having the data controller provide the exact information that is accessible and in clear terms before the data is submitted. The same also applies to:

Right of access: Gives individuals rights to obtain a copy of their personal data about them as well as any supplementary information. Individuals would understand how and why data is used about them and to check if the processing of that data is lawful.

Right of portability: This gives data subjects the right to receive back all the personal data they provided to a controller. This data is to be formatted in a commonly used and readable format.

There are other data subject rights that do present a bit of a challenge in the context of blockchain. Specifically:

Right to erasure: (commonly known as the ‘right to be forgotten’) The individual will have all rights to obtain their personal data from a controller without delay and the controller is obligated to erase their copy of the data. If the controller has shared the data, (as in if made public), they will take reasonable steps to notify other data controllers to remove the individual’s personal data as well.

Right to object: All EU citizens have the right to object to the processing of their personal data, for example, if it is for direct marketing purposes, or if a task is carried out in the public interest, or if it is only in the interest of the data controller. Basically, EU citizens have the absolute right to ask data controllers to stop processing their personal data, full-stop.

Right rectification (rectify): This is where all EU citizens have the right to have inaccurate personal data about them rectified, though it will depend on the processing purposes. In some cases, this may involve appending the correction as a supplementary statement rather than changing the original data.

Using a similar technique to risk minimization would be necessary when choosing the proper cryptological method to store data that allows the individuals personal information as close to exercising their GDPR rights as possible. The right to request erasure is impossible once data is registered to a blockchain. The work-around does involve the data controller generating a ciphertext, for example to make the data practically impossible to access, therefore achieving the effects of erased data.

When we look at the right to rectification, we know it is impossible in a blockchain to modify the data in a block. The data controller must enter the updated data in a new block. Although it is possible in a blockchain to cancel an initial transaction, the first transaction in this chain will still appear regardless. In this case, the same solution used in the right to request erasure would be implemented to the erroneous data.


When we look at security requirements in the different properties of a blockchain ((transparency, decentralization, tamper-proof and disintermediation) we see they rely on two factors: the number of participants and miners and a set of cryptological mechanisms.

Regarding permissioned blockchains, depending on the divergence potential or the convergence of participating actor interests, an evaluation of the least number of miners to prevent a coalition controlling over 50 percent of networking power over the chain itself is recommended. As an illustration of this point, recent cases indicate that a single entity or individual with greater than 50 percent of networking computer power can edit the blockchain transaction history.

Yet it is the exchange level where the majority of blockchain “hacks” occur. These threats can be mitigated using industry standard security practices to date. Therefore, it remains vital to set out your technical and organizational security procedures to limit the impact of a potential algorithm or security failure on transactions and exchanges. This would also include implementing an emergency plan to enable algorithms to be changed when a vulnerability is identified. Any organization implementing a public blockchain must be vigilant to newly identified threats in the context of smart contracts in particular, since source code is often publicly visible (on the blockchain).

All changes to software used to create and mine transactions needs to be documented. Technical and organizational steps should be set out to ensure parity between planned permissions and practical application. Note that if the blockchain is not public, measures still must be implemented to ensure confidentiality. Data controllers carrying out any processing through transactions on the blockchain need to ensure the security of keys used (i.e. that they are stored on secure media for example).

The security of blockchain overall is very robust. Once the system is well planned, steps were taken to proactively identify algorithm bugs, single entity or organizations were prevented from amassing a majority of the network power control, and there is an ever present eye on newly identified vulnerabilities, the integrity of the blockchain is in effect, ‘rock solid’.