“The margin between the edge of the world and infinite possibility”. Blockchain, GDPR and information governance

Publication Date11 Mar 2019
Pages240-257
DOIhttps://doi.org/10.1108/RMJ-12-2018-0045
AuthorDarra Hofman,Victoria Louise Lemieux,Alysha Joo,Danielle Alves Batista
SubjectInformation & knowledge management,Information management & governance
The margin between the edge of
the world and innite possibility
Blockchain, GDPR and information governance
Darra Hofman,Victoria Louise Lemieux,Alysha Joo and
Danielle Alves Batista
University of British Columbia, Vancouver, Canada
Abstract
Purpose This paper aims to explorea paradoxical situation, asking whether it is possibleto reconcile the
immutable ledger known as blockchain with the requirements of the General Data Protection Regulations
(GDPR), and morebroadly privacy and data protection.
Design/methodology/approach This paper combinesdoctrinal legal research examining the GDPRs
application and scope with case studies examining blockchain solutions from an archival theoretic
perspective to answer several questions, including: What risks are blockchain solutions said to impose (or
mitigate) for organizationsdealing with data that is subject to the GDPR? What are the relationshipsbetween
the GDPR principles and the principles of archival theory?How can these two sets of principles be aligned
within a particularblockchain solution? How can archivalprinciples be applied to blockchainsolutions so that
they supportGDPR compliance?
Findings This work will offer an initial exploration of the strengths and weaknesses of blockchain
solutions for GDPR compliant information governance. It will present the disjunctures between GDPR
requirements and some currentblockchain solution designs and implementations, as well as discussinghow
solutions may be designedand implemented to support compliance. Immutabilityof information recorded on
a blockchain is a differentiating positive feature of blockchain technology from the perspective of trusted
exchanges of value (e.g. cryptocurrencies)but potentially places organizations at risk of non-compliancewith
GDPR if personally identiable information cannot be removed. This work will aid understanding of how
blockchain solutions should be designed to ensure compliance with GDPR, which could have signicant
practical implications for organizations looking to leverage the strengths of blockchain technology to meet
their needsand strategic goals.
Research limitations/implications Some aspects of the social layerof blockchain solutions, such as
law and businessprocedures, are also well understood. Much less well understood is the data layer,and how it
serves as an interface between the social and the technical in a sociotechnical system like blockchain. In
addition to a need for more research aboutthe data/records layer of blockchains and compliance, there is a
need for more information governance professionals who can provide input on this layer, both to their
organizationsand other stakeholders.
Practical implications Managing personaldata will continue to be one of the most challenging, fraught
issues for information governance moving forward; given the fairly broad scope of the GDPR, many
organizations, including thoseoutside of the EU, will have to manage personal data in compliance with the
GDPR. Blockchain technologycould play an important role in ensuring organizations haveeasily auditable,
tamper-resistant,tamper-evident records to meetbroader organizational needs and to comply with the GDPR.
Social implications Because the GDPR professes to be technology-neutral, understanding its
application to novel technologiessuch as blockchain provides an important window intothe broader context
of compliancein evolving information governance spaces.
This paper was funded under a Mitacs Accelerate Project Grant (IT12057) on Blockchain-based
Consent Management for Personalized Medicine. The authors would like to thank our industry
partner, MolecularYou, and our fellow research team membersDean Regier, Samantha Pollard, Deidre
Weyman,Hoda Hamouda, Ravneet Kaur, UsmanMukaty, Wen Pan, Adrian Bogdan and GregMcLeod.
RMJ
29,1/2
240
Received13 December 2018
Revised3 January 2019
Accepted4 January 2019
RecordsManagement Journal
Vol.29 No. 1/2, 2019
pp. 240-257
© Emerald Publishing Limited
0956-5698
DOI 10.1108/RMJ-12-2018-0045
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0956-5698.htm
Originality/value The specic question of howGDPR will apply to blockchain information governance
solutionsis almost entirelynovel. It has signicance to the design and implementation of blockchainsolutions
for recordkeeping. It also provides insight into how well technology-neutrallaws and regulations actually
work when confronted with novel technologies and applications. This research will build upon signicant
bodies of work in both law and archival science to further understand information governance and
complianceas we are shifting into the new GDPR world.
Keywords Privacy, Blockchain, Distributed ledger technology, General data protection regulations
Paper type Research paper
Introduction
The arguments for, and challenges of, informationgovernance are fairly well-known at this
point: information is a vital asset that must be managed properly to reduce risk, ensure
compliance, support decision-making and improve strategy (Naylor, 1993). Of course,
meeting such broad objectiveshas led to the emergence of information governanceas:
[...] an all-encompassing term for how an organization manages the totality of its information
[...] IG includes the set of policies, processes, and controls to manage information in compliance
with external regulatory requirements and internal governance frameworks (Smallwood, 2015,
p. 6, emphasis in original).
Information governance(IG) is still very much a developing eld, but one that:
[...] is capable of initiating a paradigm shift in the world of information management
[...integrating] elements and principles already exist[ing] under a well understood [Enterprise
Information Management] approach [with] enforced integration and highly connected interaction
(Hagmann, 2013, p. 229).
IG is broader than, but indivisible from,records and information management (RIM). All of
the IG models that Hagmann considershave an orientation toward RIM, including ARMAs
Generally Accepted Recordkeeping Principles (GARP
®
), which includes the principle of
privacy a topic of growing concern to RIM professionals.Information and communication
technologies (ICT) contributed thus far to signicant concerns about privacy and personal
data protection and a growing lack of trust in technology companies with business models
that rely on gathering, processing and commoditizing personal data. Within the European
Union, the response to these concerns has been to pass the General Data Protection
Regulations (GDPR), which came into effect on May 25, 2018, to provide better safeguards
for the protection of personallyidentiable data.
Like the GDPR, blockchain technology has emerged out of individualslack of trust (e.g. in
centralized trustauthorities). Blockchain seeks to by-pass centralized trust authorities to
enable individuals to transact with one another trustlessly,without reliance on the traditional
mediating trust authorities. While blockchain is being posited as a solution to the problem of
trust, paradoxically, a growing number of projects exploring the application of blockchain
technology for identity management and health recordkeeping raise questions about whether
blockchain solutions may lead to infringement of individuals right to privacy, perversely
generating greater levels of social mistrust. This paper explores this paradoxical situation,
asking whether it is impossible to reconcile the immutable ledger known as blockchain with the
requirements of the GDPR, and more broadly privacy and data protection.
Methodology
This research used a critical interpretive synthesis (Dixon-Woods et al., 2006;McFerran et al.,
2017) of the archival, legal, organizational and computer science literature to establish the
Blockchain,
GDPR and
information
governance
241

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT