CIO Magazine Proposes an Out-Of-The-Box Method for GDPR Data Deletion

(The SSL Store, 07/01/2019) reports:

When a data subject appeals to your organisation for erasure of their personal data on one of those grounds, and you don’t have a superseding reason to keep it, not only are you obligated to delete it, but you’re also obligated to notify any partners you may have shared it with to delete it, too.

In an article of New Zealand’s edition of CIO Magazine, a group of lawyers discuss how the GDPR’s right to erasure jives with the immutability of data recorded on a blockchain. […]

Russell McVeagh (a prominent New Zealand-based law firm) lawyers Liz Blythe, Michael Taylor, Rachel O’Brien and Zoe Sims came up with a rather unique solution to the problem: how do you satisfy the GDPR’s right to erasure requirement on a blockchain? […]

“Could personal data stored on a blockchain be effectively ‘deleted’ by encrypting it and then destroying the private key so it can never be read? There is currently no firmly established answer, but there are reasons to be hopeful that this would be an acceptable solution. ”

[…] but encrypting it is definitely not the way to go. And the reason for that is in their final “note of caution.

“3. In theory, any type of encryption can be broken given enough time, energy and processing power. What is considered secure today may not be secure in the future. Merely encrypted data is therefore at risk – and working out the nature and extent of that risk will be an important part of the discussion.”

There will likely never be a completely unbreakable cryptosystem, and that itself is the fatal flaw with this suggestion.