'The margin between the edge of the world and infinite possibility' Blockchain, GDPR and information governance

Darra Hofman; Victoria Louise Lemieux; Alysha Joo; Danielle Alves Batista

摘要

Purpose - This paper aims to explore a paradoxical situation, asking whether it is possible to reconcile the immutable ledger known as blockchain with the requirements of the General Data Protection Regulations (GDPR), and more broadly privacy and data protection. Design/methodology/approach - This paper combines doctrinal legal research examining the GDPR's application and scope with case studies examining blockchain solutions from an archival theoretic perspective to answer several questions, including: What risks are blockchain solutions said to impose (or mitigate) for organizations dealing with data that is subject to the GDPR? What are the relationships between the GDPR principles and the principles of archival theory? How can these two sets of principles be aligned within a particular blockchain solution? How can archival principles be applied to blockchain solutions so that they support GDPR compliance? Findings - This work will offer an initial exploration of the strengths and weaknesses of blockchain solutions for GDPR compliant information governance. It will present the disjunctures between GDPR requirements and some current blockchain solution designs and implementations, as well as discussing how solutions may be designed and implemented to support compliance. Immutability of information recorded on a blockchain is a differentiating positive feature of blockchain technology from the perspective of trusted exchanges of value (e.g. cryptocurrencies) but potentially places organizations at risk of non-compliance with GDPR if personally identifiable information cannot be removed. This work will aid understanding of how blockchain solutions should be designed to ensure compliance with GDPR, which could have significant practical implications for organizations looking to leverage the strengths of blockchain technology to meet their needs and strategic goals. Research limitations/implications - Some aspects of the social layer of blockchain solutions, such as law and business procedures, are also well understood. Much less well understood is the data layer, and how it serves as an interface between the social and the technical in a sociotechnical system like blockchain. In addition to a need for more research about the data/records layer of blockchains and compliance, there is a need for more information governance professionals who can provide input on this layer, both to their organizations and other stakeholders. Practical implications - Managing personal data will continue to be one of the most challenging, fraught issues for information governance moving forward; given the fairly broad scope of the GDPR, many organizations, including those outside of the EU, will have to manage personal data in compkance with the GDPR. Blockchain technology could play an important role in ensuring organizations have easily auditable, tamper-resistant, tamper-evident records to meet broader organizational needs and to comply with the GDPR. Social implications - Because the GDPR professes to be technology-neutral, understanding its application to novel technologies such as blockchain provides an important window into the broader context of compliance in evolving information governance spaces. Originality/value - The specific question of how GDPR will apply to blockchain information governance solutions is almost entirely novel. It has significance to the design and implementation of blockchain solutions for recordkeeping. It also provides insight into how well "technology-neutral" laws and regulations actually work when confronted with novel technologies and applications. This research will build upon significant bodies of work in both law and archival science to further understand information governance and compliance as we are shifting into the new GDPR world.

机译：目的-本文旨在探讨一个自相矛盾的情况，询问是否有可能使称为区块链的不变账本与通用数据保护法规（GDPR）的要求以及更广泛的隐私和数据保护相协调。设计/方法论/方法-本文结合了从档案理论角度考察GDPR的应用和范围的法律学研究和案例研究，从案例理论的角度研究了区块链解决方案，以回答几个问题，包括：区块链解决方案对组织造成（或减轻）了哪些风险处理受GDPR约束的数据？ GDPR原则和档案理论之间有什么关系？这两套原则如何在特定的区块链解决方案中保持一致？归档原理如何应用于区块链解决方案，以支持GDPR合规性？调查结果-这项工作将为符合GDPR要求的信息治理提供区块链解决方案的优缺点的初步探索。它将提出GDPR要求与当前一些区块链解决方案设计和实现之间的脱节，并讨论如何设计和实施解决方案以支持合规性。从可信任的价值交换（例如加密货币）的角度来看，记录在区块链上的信息的不变性是区块链技术的一个与众不同的积极特征，但如果无法删除个人身份信息，则可能使组织面临违背GDPR的风险。这项工作将有助于理解如何设计区块链解决方案以确保符合GDPR，这对于希望利用区块链技术的优势以满足其需求和战略目标的组织可能具有重大的实际意义。研究局限性/含义-区块链解决方案社交层的某些方面，例如法律和商业程序，也已广为人知。数据层及其在像区块链这样的社会技术系统中如何作为社会和技术之间的接口，人们还不太了解。除了需要对区块链的数据/记录层和合规性进行更多研究之外，还需要更多的信息治理专业人员，他们可以在这一层上为组织和其他利益相关者提供输入。实际意义-管理个人数据将继续成为信息治理向前发展中最具挑战性，最棘手的问题之一；鉴于GDPR的范围相当广泛，因此许多组织（包括欧盟以外的组织）都必须按照GDPR来管理个人数据。区块链技术在确保组织具有易于审核，防篡改，不易篡改的记录以满足更广泛的组织需求并符合GDPR方面可以发挥重要作用。社会意义-由于GDPR自称是技术中立的，因此了解其在诸如区块链之类的新技术中的应用将为深入了解不断发展的信息治理空间中的合规性提供重要的窗口。原创性/价值-GDPR将如何应用于区块链信息治理解决方案的特定问题几乎是全新的。这对用于记录保存的区块链解决方案的设计和实施具有重要意义。它还提供了在面对新技术和新应用时“技术中立”的法律和法规实际如何运作的见解。这项研究将建立在法律和档案科学领域的重要工作基础上，以进一步了解信息治理和合规性，因为我们正在进入新的GDPR世界。

'The margin between the edge of the world and infinite possibility' Blockchain, GDPR and information governance

摘要

著录项

相似文献

相关主题

期刊订阅