It is my understanding that hashed data is still included as personal data under GDPR. As the data is being stored on the block chain doesn’t that mean the system will not be GDPR compliant as it’s not possible to delete the data if a user requests it?
Hi Stuart,
so I consulted with someone on the team who’s more knowledgeable than me on the subject of GDPR.
The general take is that if the hash is only about one piece of data (ie: name, date of birth, etc) and that you can brute force it to match a hash, then yes, it is not a viable way to hide PII.
In the case of Blockcerts though, the hash is a combination of various information, not only PII, but also any sort of data and metadata (even nonce for instance) that the issuer puts into the document. With that in mind it becomes virtually impossible to deduct/correlate a portion of PII that would match to a hash of a document.
Here is an article that can bring a bit more information on the subject: Is it possible for data that has undergone hashing to still be considered “personal information?” | Bryan Cave Leighton Paisner