Caught between a block and a hard place: Can GDPR and Blockchain co-exist?

Caught between a block and a hard place: Can GDPR and Blockchain co-exist?

The advantage of Blockchain’s immutability could also be a downfall when it comes to General Data Protection Regulation compliance

The accountancy industry is amidst a period of major technological change. Process automation, artificial intelligence and cloud-based technologies are transforming how we work. But, of all the advances being talked about, the most promising – and for some, the most worrying – is Blockchain. Integrating Blockchain into accountancy can deliver some incredible business benefits and the technology is currently being implemented in a variety of financial services organisations.

It’s no surprise, then, that the world’s leading accounting firms are exploring ways to implement Blockchain in their work. One example is that in April, PwC announced a blockchain auditing service, which looks to analyse Blockchain systems to ensure they’re working in a correct and efficient manner.

But first, what is Blockchain?

There are a number of explanations on what Blockchain is, but what is causing confusion is the difference between public and private Blockchain. Put simply, a public Blockchain is completely open and can be accessed by anyone, which implies little to no privacy and only supports a weak notion of security. On the other hand, private Blockchain networks require an invitation. Only the entities participating in a particular transaction will have knowledge of it or access to it.

The truth is, we’re just starting to understand how Blockchain can enhance operations and efficiency. This is in part due to its two main selling points.

Firstly, its decentralised system enables it to adopt a multi-server approach. So, when information on a node is saved, it is replicated and protected across several others, making it almost impossible to hack – if one node goes down there are others to protect data. However, it’s important to recognise that Blockchain is not completely impermeable; recent transactions in South Korea, for example, have been investigated due to suspicious money transfers.

The other USP, of course, is the fact Blockchain indelibly records each stage of a transaction – in essence, it never forgets. Allowing uniquely identifiable users to store, view and share digital information in a secure way, drives accountability, trust and transparency. In business, these qualities can’t be overlooked, and can help overcome fraudulent activity as the records can’t be changed – unlike more traditional forms of data.

How does it affect accountancy?

A major industry issue are the countless cases of auditing fraud happening globally. The current system has various defects related to conflicts of interest and the issue of trust, so a better system needs to be utilised, and this is where Blockchain technology can be implemented. It has great potential for the industry, but is not without pitfalls.

Whilst its decentralised database eliminates the mistrust toward unaudited financial statements, the advantage of Blockchain’s immutability could also be a downfall when it comes to General Data Protection Regulation compliance. Within minutes or even seconds, all the transactions conducted are verified, cleared and stored in a block that is linked to the preceding block, thereby creating a chain. Each block must refer to the preceding block to be valid. This structure permanently timestamps and stores exchanges of value, preventing anyone from altering the ledger.

Does this present a flaw?

One of the primary benefits of Blockchain technology is that the information uploaded, verified and stored on the Blockchain platform is immediately available to all network members. Whilst this represents a leap forward in efficiency, it also potentially opens the door to costly data breaches and hacks, especially if it pertains financial information.

Furthermore, the recent implementation of the General Data Protection Regulation (GDPR) could, in fact, prove to be problematic in the case of Blockchain. This is because, on paper, significant rights under the GDPR are now in direct conflict with how Blockchain operates.

The legal rights I’m referring to is the right to be forgotten, and the right to rectification. Under the GDPR, individuals have the right to request that their data is permanently deleted from a company’s records within a timely period (30 days), or that their data is edited to reflect the truth in the case of rectification. Whilst the right to rectification is less pertinent here; the right to be forgotten is key.

For most accountancy firms operating from a centralised database system, a deletion request should, in theory, be simple. All data that does not pertain to a business need must be removed. Whilst it’s true that firms will need to overcome common issues such as dissolute data across multiple servers, sourcing relevant data and deleting it permanently should be a task that firms are able to react to it.

However, for Blockchain, this process is anything but simple. Its whole premise is built on the fact that records can’t be changed, so does this put it at odds with the GDPR? The decentralised system is a considerable issue here. If someone were to request the removal of their data from a chain, there would be significant logistical problems to overcome. Firstly, editing the chain breaks it, which then undoes the good of the ledger. There is also the fact data is saved across multiple nodes, so truly deleting information would be a challenge especially in a publicly operated Blockchain.

So, what’s the answer?

A possible solution to this is for Blockchain to modify how it operates. For example, it could implement a centralised back-end system, which would allow data to be anonymised without breaking any chains. This would get around the obvious issue, but would mean a significant overhaul of how the platform is operated.

In my view, though, the devil is in the detail. Whilst it does seem that the GDPR and Blockchain are heading for a collision course, there are other legal arguments which need addressing.

The argument can’t be pinned just on Blockchain’s ‘faults’ – we need to look at the wider legal issue. The GDPR centres on data controllers and the requirement to process data legally and fairly. In this instance, Blockchain is not the controller or processor, it’s the application. So, the argument needs to focus on who controls and processes the data – the companies. Firms operating private Blockchains control its implementation and use, so data responsibilities would lie with them. This will mean the nitty-gritty of the GDPR will determine data deletion requests. For example, is the business legally compelled to retain the data? For tax records, the data should be recorded for seven years as it may need referring to in years to come by HMRC. For other, more day-to-day uses, such as project management, then the data will become obsolete, meaning it should be deleted.

So, the real focus needs to be how accountancy firms are using Blockchain and for what purposes. It’s clear from the above that while the GDPR and Blockchain don’t work in perfect harmony, legally they are not completely at odds.

As the GDPR becomes more ingrained in the day-to-day workings of the accountancy sector, firms will become more adept at responding to requests. One key test is that GDPR will have to stand against is time – we’ve seen how quickly technology adapts and it would not be a surprise if several iterations are needed; not only to incorporate new technologies (Artificial Intelligence for example), but also to address loopholes some individuals may look to exploit. After all, all new laws are watertight at first, but it’s not uncommon for bad actors to find their way around them.

So, for the accountancy industry, whilst transparency and auditing may seem at odds with Blockchain ideology, Blockchain recording systems do have the potential to help firms remain compliant and make it easier for auditors to step in. Increased transparency should continue to be sought despite the metaphorical blocks being in place.

Blockchain is transparent and fully audited – therefore there is close alignment to auditing and accountancy – if implemented correctly it would provide a much more robust solution that should in theory be able to prevent frauds or make their detection more likely.

 

Related Articles

Why accountancy firms should embrace new forms of digital marketing

Technology Why accountancy firms should embrace new forms of digital marketing

3d Melissa Hernandez, Senior marketing executive, Propero Partners
Laying the foundations for the firm of the future

Technology Laying the foundations for the firm of the future

4d Simon Adcock, HSBC
Ten things we learned about cybersecurity from the GRC Summit London 2018

Technology Ten things we learned about cybersecurity from the GRC Summit London 2018

4w Lucy Skoulding, Reporter
Accountancy and technology: the changing role of the accountant

Technology Accountancy and technology: the changing role of the accountant

1m Lucy Skoulding, Reporter
Are we at risk of a technology-saturated future?

Technology Are we at risk of a technology-saturated future?

1m GovGrant, | Sponsored
Where do AI and Blockchain fall in the future of accountancy?

Accounting Software Where do AI and Blockchain fall in the future of accountancy?

1m Lucy Skoulding, Reporter
Accountancy and technology: the journey to cognitive intelligence

Technology Accountancy and technology: the journey to cognitive intelligence

2m Katie Canell, Deloitte
£2.5bn underpayment by UK tech sector, according to HMRC

HMRC £2.5bn underpayment by UK tech sector, according to HMRC

2m Emanuela Hawker, Reporter