“The margin between the edge of
the world and inﬁnite possibility”
Blockchain, GDPR and information governance
Darra Hofman,Victoria Louise Lemieux,Alysha Joo and
Danielle Alves Batista
University of British Columbia, Vancouver, Canada
Purpose –This paper aims to explorea paradoxical situation, asking whether it is possibleto reconcile the
immutable ledger known as blockchain with the requirements of the General Data Protection Regulations
(GDPR), and morebroadly privacy and data protection.
Design/methodology/approach –This paper combinesdoctrinal legal research examining the GDPR’s
application and scope with case studies examining blockchain solutions from an archival theoretic
perspective to answer several questions, including: What risks are blockchain solutions said to impose (or
mitigate) for organizationsdealing with data that is subject to the GDPR? What are the relationshipsbetween
the GDPR principles and the principles of archival theory?How can these two sets of principles be aligned
within a particularblockchain solution? How can archivalprinciples be applied to blockchainsolutions so that
they supportGDPR compliance?
Findings –This work will offer an initial exploration of the strengths and weaknesses of blockchain
solutions for GDPR compliant information governance. It will present the disjunctures between GDPR
requirements and some currentblockchain solution designs and implementations, as well as discussinghow
solutions may be designedand implemented to support compliance. Immutabilityof information recorded on
a blockchain is a differentiating positive feature of blockchain technology from the perspective of trusted
exchanges of value (e.g. cryptocurrencies)but potentially places organizations at risk of non-compliancewith
GDPR if personally identiﬁable information cannot be removed. This work will aid understanding of how
blockchain solutions should be designed to ensure compliance with GDPR, which could have signiﬁcant
practical implications for organizations looking to leverage the strengths of blockchain technology to meet
their needsand strategic goals.
Research limitations/implications –Some aspects of the social layerof blockchain solutions, such as
law and businessprocedures, are also well understood. Much less well understood is the data layer,and how it
serves as an interface between the social and the technical in a sociotechnical system like blockchain. In
addition to a need for more research aboutthe data/records layer of blockchains and compliance, there is a
need for more information governance professionals who can provide input on this layer, both to their
organizationsand other stakeholders.
Practical implications –Managing personaldata will continue to be one of the most challenging, fraught
issues for information governance moving forward; given the fairly broad scope of the GDPR, many
organizations, including thoseoutside of the EU, will have to manage personal data in compliance with the
GDPR. Blockchain technologycould play an important role in ensuring organizations haveeasily auditable,
tamper-resistant,tamper-evident records to meetbroader organizational needs and to comply with the GDPR.
Social implications –Because the GDPR professes to be technology-neutral, understanding its
application to novel technologiessuch as blockchain provides an important window intothe broader context
of compliancein evolving information governance spaces.
This paper was funded under a Mitacs Accelerate Project Grant (IT12057) on “Blockchain-based
Consent Management for Personalized Medicine”. The authors would like to thank our industry
partner, MolecularYou, and our fellow research team membersDean Regier, Samantha Pollard, Deidre
Weyman,Hoda Hamouda, Ravneet Kaur, UsmanMukaty, Wen Pan, Adrian Bogdan and GregMcLeod.
Received13 December 2018
Revised3 January 2019
Accepted4 January 2019
Vol.29 No. 1/2, 2019
© Emerald Publishing Limited
The current issue and full text archive of this journal is available on Emerald Insight at: