Because blockchain relies on a distributed ledger system that is decentralized and immutable, it's intended to be a permanent, tamper-proof record that sits outside the control of any one governing authority. This is what makes it such an attractive and useful technology. But because data stored on the blockchain, including personal data, can't be deleted, there is no way to exercise the right to erasure that people are granted under GDPR. Blockchain is not designed to be GDPR-compatible. Or rather, GDPR is not blockchain-compatible the way it is written today.
A quite interesting paper about thisissue has been published on the World Economic Forum site by Anne Toth Head of Data Policy,
It's a good, valid question and the article is also a very good read!
It does have a point. It would appear that blockchain defeats the purpose of what GDPR is trying to accomplish but I believe everything is on the way you implement things.
For example: If I decide to integrate my ERP with any blockchain, would I need to have people's data in the blockchain? I don't think it has to be that way; not everything has to be "blockchained". What I would do is assign an ID number to that particular person, keep their data off-chain and everything else in the blockchain. When a person wishes to exercise their right to be forgotten, my ERP could very well get rid of their personal, identifiable data, and only a number would still be attached to everything else regarding, say, number of purchases, which items per purchase or per visit to the website, etc. without specifically identifying the person.
Governments have a lot to do when it comes to regulation and overall handling of blockchain technology but I believe it's the ones who are starting to build things who must be very creative in their ways of implementing such changes in order not to shoot themselves in the foot; nobody want to be in non-compliance, but everybody's in for the hype! I, for one, think there's room for both.
Michele Finck of Oxford University has pointed out in Blockchains And Data Protection In The European Union that blockchain data relating to a person that has been encrypted or hashed still qualifies as personal data under EU law. That makes it subject to the right to access, amend or delete such data guaranteed by the GDPR.