Data Breach, Cambridge Analytica and Blockchain


We all know that data, our own personal data, is never truly safe and stored away under lock and key and turn a blind eye to what really happens to our data. We of course do care about who has our personal information and what they are doing with it though. The question is, whether blockchain can be the future?

It doesn’t take much delving into the subconscious to remember the Facebook and Cambridge Analytica story which saw over 50 + million Facebook users having their information mined, and the microtargeting of personal information by political campaigns across various jurisdictions.

We have previously reported on the use of blockchain technology being an answer to data protection with its use as a database ledger. The increasing concerns for how our data is being protected since the recent media hype allows us legally minded people and blockchain technology followers to point the answer to a method of securing sensitive information using a distributed ledger such as blockchain. This removes the need for centralised guardians that currently ‘apparently’ protect our data, thus removing the potential for cyber attacks that target the data to sell on. More importantly, as previously reported, the implementation of the General Data Protection Regulations has meant that we must conform or be sanctioned, and the application of blockchain for data protection could set itself apart from the rest.

Essentially, data breaches such as the Cambridge Analytica saga would be limited with a decentralised model, because not only would it put the control back in to the user, especially when it comes to social media, but also would have the backing of hashing, encryptions, and more importantly stored independently on every node. The only way to even have the slightest chance of sucking information from a blockchain ledger, would be to have absolute control over most of the nodes within the network (I’d like to see someone achieve that!!!!)

A potential issue

The use of blockchain will need to conform to the implementation of a data protection impact assessment. This is incredibly important to this report, because as a new technology, a risk assessment must be undertaken by the data controller and as highlighted in previous reports, this may be difficult to ascertain when there are co-controllers involved. If the impact assessment is carried out and identifies the ledger as a high risk, it will be referred to the Information Commissioners Office (ICO) for consideration. They highlight on their website that they will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases they may issue a formal warning not to process the data or ban the processing altogether. This authoritative statement would arguably be difficult to implement for a blockchain database because it is not something that is centralised and easily shut down. Consider the impact of a blockchain that holds sensitive information on a public ledger and deemed high risk, and the ICO attempting to identify all nodes on the network and trying to block each one systematically. It would be an impossible task, offering an insight into the dangers of trying to control a ledger that is designed to be uncontrollable. However, it is not being suggested that there should or can be no such onus on the users, controllers or processors to undertake a data protection impact assessment. On the contrary, it is very necessary and certainly important to ensure compliance with the GDPR and a data subject’s personal information to be able to legitimise the use of blockchain and convince users that it is safe and above board.

Also, note that a blockchain will not always solely hold the personal data solely so an impact assessment will need to be broken down. It is possible for the use of ‘off chains’ to work along-side a blockchain network and hold much larger data than stored on the block. Off chains are essentially separate databases which are stored locally and linked to the blockchain. An example would be when someone wishes to upload a document, or medical record to the blockchain, it will act as a transaction, with an I.D, using a smart contract that holds a description of the document, and its accompanying hash. This is cleverly validated by the smart contract and then the document will then be uploaded to the external database. The transaction will have a digital signature and time stamp of confirmation. The external database will naturally have its own security but may also have its own impact assessments to ensure its compliance with data protection regulations.


A complex change, but potentially a necessary one. The use of centralised bodies holding information is like dangling a carrot, inviting attackers in to steal information. As soon as people get their heads round this new technology, and start considering its potential, apply the relevant law and protective measures, it could be arguable the best infrastructure to keep individual’s data protected in the future.

share this Article

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

Recent Articles