General Data Protection Regulation (GDPR) (https://gdpr-info.eu/) is an EU law that defines how personal data is acquired, processed, and ultimately erased from a computing system. The definition of personal data in GDPR is quite broad—examples include name, email address, and IP address.

Blockchain, by design, creates an immutable, permanent, and replicated record of the data. A blockchain network based on Hyperledger Fabric will obviously encompass these three properties. Thus storing personal data on a blockchain network which cannot be deleted or modified can be challenging from the perspective of GDPR. Similarly, it is important to know who that personal data is shared with.

The channel and the channel private data feature of Hyperledger Fabric provides a mechanism for determining the entities with which data is shared. In the case of channel private data, the data is never stored on a blockchain, but its cryptographic hashes are stored on the chain. Though a governance process, peers can determine the other peers to share this data with. The channel private data feature in Hyperledger Fabric can potentially provide a mechanism to store personal data off the chain, determining who this data is shared with, while maintaining the integrity of this data through cryptographic hashes stored in the blockchain.

Hyperledger Fabric also stores the X.509 certificate of the entity creating the transaction in the digital ledger. These X.509 certificates can contain personal data. With version 1.1, Hyperledger Fabric provides a mechanism to prove the identity based on zero knowledge proofs, while hiding the actual value of the attribute. These zero-knowledge proof-based credentials are then stored in the ledger in lieu of a traditional X.509 certificate and can potentially help towards GDPR compliance.