European forum offers tips for blockchain GDPR compliance
In Europe, many healthcare organizations are eager to use blockchain but are facing complications over how to protect data while using it under the latest law, the General Data Protection Regulation.
In a new report, the European Union Blockchain Observatory & Forum says that, while there are tensions and some uncertainty about how to protect data and use blockchain under GDPR, there are still ways to accomplish it.
WHY IT MATTERS
"Blockchain is considered to be one of the most disruptive new information technologies on the horizon today," said researchers from European Union Blockchain Observatory & Forum.
GDPR, written several years ago during the advent of blockchain, and effective as of this May, is designed to reach a balance between keeping data secure while still allowing its free movement.
The problem is, the law was written while blockchain was evolving, and so was based on the linear flow of information between providers and users. Because blockchain is based the decentralization of data, interpretation of GDPR when it comes to blockchain, is difficult.
This isn’t the first time such a quandary has presented itself, and there are many questions about how blockchain comports with an array of privacy laws.
"Just like there is no GDRP-compliant Internet, or GDPR-compliant artificial intelligence algorithm, there is no such thing as a GDPR-compliant blockchain technology," said forum researchers. “There are only GDPR-compliant use cases and applications.”
The forum notes that many of the GDPR’s requirements are easier to interpret and implement in private, permissioned blockchain networks than in public networks that don’t require permission.
It proposes these ways to walk that fine line of using blockchain and maintaining GDPR compliance:
- Start with the big picture. Determine how the user value is being created, how the data is being used and whether blockchain is really needed.
- Avoid storing personal data on a blockchain. Make full use of data encryption and aggregation to make the data anonymous.
- Collect personal data off-chain. Or, if the blockchain can’t be avoided, collect personal data on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
- Continue to innovate. But, be clear and transparent as possible with users.
THE LARGER TREND
GDPR is broader in its protections than HIPAA – and, even if it is somewhat unclear how to comply, U.S. providers will have to find a way to do so if they handle any data from EU residents.
We recently reported how two healthcare leaders from Germany suggest healthcare organizations embrace best practices for complying with GDPR. Florian Benthin, senior manager at Deloitte consulting, and Peter Gocke, chief digital officer at Charité Berlin, said figuring out which elements of compliance are already in place and which aren't should be the first step in GDPR readiness for every healthcare organization—whether in Europe or the U.S.
It is worthy to note, that not too many healthcare organizations are et fully ready in the U.S. to use blockchain, according to a recent HIMSS Analytics survey. Fewer than 15 percent of the 159 organizations HIMSS Analytics surveyed consider themselves well prepared for blockchain, while 60 percent say they'e moderately prepared.
ON THE RECORD
"For GDPR readiness, it is quite essential to work on a common process landscape," says Peter Gocke, chief digital officer at Charité Berlin, the largest university clinic in Europe. "Templates should be developed in order to achieve a consistent process documentation, and a good life cycle management should be established to keep the documentation and the technical measures derived from it up to date at all times."
Focus on Blockchain
For December we’ll dive deep to separate what’s really happening today from the marketing speak.
Diana Manos is a Washington, D.C.-area freelance writer specializing in healthcare, wellness and technology.
Healthcare IT News is a HIMSS Media publication.