Olympus: a GDPR compliant blockchain system

Blockchain has been gaining significant interest in several domains. However, this technology also raises relevant challenges, namely in terms of data protection. After the General Data Protection Regulation (GDPR) has been published by the European Union, companies worldwide changed the way they pr...

Full description

Saved in:
Bibliographic Details
Published inInternational journal of information security Vol. 23; no. 2; pp. 1021 - 1036
Main Authors Gonçalves, Ricardo Martins, da Silva, Miguel Mira, da Cunha, Paulo Rupino
Format Journal Article
LanguageEnglish
Published Berlin/Heidelberg Springer Berlin Heidelberg 01.04.2024
Springer Nature B.V
Subjects
Blockchain
Coding and Information Theory
Communications Engineering
Computer Communication Networks
Computer Science
Cryptography
Cryptology
Data integrity
Data processing equipment
General Data Protection Regulation
Management of Computing and Information Systems
Networks
Operating Systems
Personal information
Privacy
Regular Contribution
Developing
Data privacy
IPFS
GDPR
Blockchain
Hyperledger fabric
Online AccessGet full text

Cover

More Information
Summary:Blockchain has been gaining significant interest in several domains. However, this technology also raises relevant challenges, namely in terms of data protection. After the General Data Protection Regulation (GDPR) has been published by the European Union, companies worldwide changed the way they process personal data. This project provides a model and implementation of a blockchain system to store personal data complying with GDPR. We examine the advantages and challenges and evaluate the system. We use Hyperledger Fabric as blockchain, Interplanetary File System to store personal data off-chain, and a Django REST API to interact with both the blockchain and the distributed file system. Olympus has three possible types of users: Data Subjects, Data Processors and Data Controllers and a fourth participant, Supervisor Authority, that, despite not being an explicit role, can perform all verifications that GDPR mandates. We conclude that it is possible to create a system that overcomes the major challenges of storing personal data in a blockchain (Right to be Forgotten and Right to Rectification), while maintaining its desirable characteristics (auditability, verifiability, tamper resistance, distributed—remove single points of failure) and complying with GDPR.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1615-5262
1615-5270
DOI:10.1007/s10207-023-00782-z