Should blockchain tech be regulated more, or is it too late?

With the POPIA deadline fast approaching, the use of blockchain for storing personal information may have to come under scrutiny.

By Mervyn Mooi, Director of Knowledge Integration Dynamics (KID) and represents the ICT services arm of the Thesele Group.

Johannesburg, 23 Apr 2021

Read time 3min 30sec

Deloitte’s Global Blockchain Survey last year found that organisations’ concerns about blockchain technology are fading, with more businesses now investing in the technology in areas such as life sciences, government, banking and manufacturing.

However, the use of blockchain technology in mainstream business is still relatively new and unproven for use in areas such as the protection of personal information.

When it comes to compliance, blockchain supports legislation in that it provides consistent history, but it is not fully supportive of all the provisions of new protection of personal information legislation.

As we learned from the early coding days when there were certain logic produced that delivered startling and risky results such as “memory leaks” or “dangling pointers” because programmers had little coding standards, unpredictable or undesired behaviour can result from new applications of relatively unregulated technologies and open-source code. Considering this, should blockchain technology be regulated more, or is it too late?

As I have said before, blockchain technology may support some areas of data management very well, but it's not a silver bullet for compliance. Because blockchain technology is immutable, it can support transparency and audit, but this same immutability presents a challenge when companies attempt to align with legislative clauses on how and when data should be deleted.

The potential clash between the properties of blockchain and provision for the right to be forgotten in the European Union General Data Protection Regulation has sparked some debate in recent years.

Similarly, the Protection of Personal Information Act (POPIA) provides for the deletion of personal information that should no longer be retained. POPIA states that “a data subject may request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain”.

With the deadline for POPIA compliance only months away, this right to be forgotten should not be overlooked in compliance programmes.

With blockchain working in distributed nodes, secured by encryption and keys, personal information may be protected, but can these blocks be switched off? Probably not, unless you destroy the hardware.

The use of blockchain technology in mainstream business is still relatively new and unproven for use in areas such as the protection of personal information.

In aligning with privacy legislation, organisations must also consider who may access the data and who the privacy officer or accountable person is: in blockchains, entities other than the collecting organisation might control the data, with no one person accountable for it.

Ahead of the POPIA compliance deadline, organisations should be considering how they will secure, control access to and eventually delete personal information. They will need to revisit how personal data is processed and stored, and whether blockchain is indeed the technology best suited for this purpose.

Should blockchain be found fit for purpose, a need may arise to flag personal information protected by legislation, as well as any conditions attached to it to ensure it is handled correctly. Organisations may need to take a hybrid approach to using both blockchain and other platforms and technologies to remain compliant; they might look to the creation of a hybrid ‘editable’ blockchain; or industries may find it necessary to collaborate on private blockchains dedicated for the handling of customers’ personal information.

It may become necessary to detail exactly what constitutes forgotten (or deleted), and whether data locked in a blockchain may be seen as not available, and therefore compliant. Methods and measures should also be discussed to overcome the potential challenges of upholding a right to be forgotten, against any future need to use the data for audits and forensic investigations.

Subscribe to our Storage newsletter.

Mervyn Mooi

Director of Knowledge Integration Dynamics (KID) and represents the ICT services arm of the Thesele Group.

Mervyn Mooi is a director of Knowledge Integration Dynamics (KID). His competencies and focus is within data/information management and governance.

He has been in the ICT and data solutions industry for 38 years, beginning his career as an operator at the CICS bureau in Johannesburg in the early 1980s. Thereafter, he was appointed as a programmer at state-owned oil exploration and production company SOEKOR.

In 1986, Mooi joined Anglo American's head office ICT department where he remained for almost 12 years. Here he progressed to become a senior programmer, analyst, database administrator and technical support specialist.

After completing his degree in informatics, he then left to join Software Futures, where he worked as a senior consultant for 18 months in the data warehousing and business intelligence arena.

Mooi joined KID in 1999 as a data warehouse and business intelligence specialist. His experience in ICT disciplines includes operations, business and systems analysis, application development, database administration, data governance/management, data architecture/modelling, software support, data warehousing and business intelligence.