The GDPR aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The General Data Protection Regulation (2016/679) isn EU law or regulation on data protection and privacy for all individuals within the European Union and the European Economic Area. Since GDPR addresses the export of personal data outside the EU and EEA areas, the first implication may be the global, borderless data transfer of personal data.
Enter Blockchain
In other words,GDPR is not a solid list of implementation and control processes. It is a framework that allows data controllers and data processors to get along with their role and responsibilities in a manner that protects the rights and freedoms of each data subject. Therefore, GDPR compliance can only be measured in a single case by case basis.
When GDPR’s rules that are implemented on old legacy systems,they are not technologically friendly, nor is the implementation technology neutral. The manner in which compliance technology is deployed to suit a particular purpose of a GDPR process, the key is to analyse whether that technology can be GDPR compliant at all. The same is the case with the new Blockchain technology.
Given the current lack of in-depth understanding of blockchain technology and the uncertainty of interpretation of the GDPR’s requirements, there is a need for a few court verdicts to reveal how the use of blockchain technology and the application of the GDPR can be evolved to ensure compliance.
DPIA and Information Security Assessments
The European Data Protection Board has stated that the use of new or innovative technology in itself does not trigger the need to conduct a DPIA. However,when any new technology is combined with another processing factor,there is a need to raise the data processing risk to a high level.
In any case, we recommend a proactive assessment using a customised data protection impact assessment (DPIA) alongside an initial information-security risk assessment(with a regular re-assessments) about the privacy implications is critical to enable GDPR compliance to blockchain technology.
Blockchain technology is subject to the GDPR is the conclusion of the EU commission.The million dollar question remains whether the Blockchain and the GDPR are compatible?Therefore a step by step approach must be conducted by monitoring a case-by-case implementation to assess for GDPR compliance.
The Blockchain technology is one of the most innovative technological systems,but it is hyped and still not well understood:
10 point action plan
After the above initial considerations, there is a need to go further in the GDPR engine room to determine compliance. The following is a 10 point checklist to evaluate GDPR compliance:
Continuously assess, evaluate and improve
GDPR’s articles 24 and 32 require data controllers and processors to maintain, evaluate and improve their organisational and technical controls to mitigate the risks posed by their data processing activities. The privacy-related risks (e.g. reversal risk or linkability risk of personal data even in encrypted or hashed format); cybersecurity risks (e.g. vulnerabilities of the underlying infrastructure, the blockchain software, malicious users, etc.); and the risks related to the “no trust” environment. Implement the measures necessary to address these risks (e.g. penetration and vulnerability testing of the applied solution; examination of the data subject rights management process, data breach test simulations…)
When all of the above GDPR issues are resolved, there are further implications to be addressed at the designing stage of the blockchain. The company must be aware of the nature of smart contracts, as many of these contracts may fall under the provisions of automated decision making under the GDPR – and human intervention would hinder the advantages of the execution of smart contracts.
Sources: The NIST and the EUBOF papers on Blockchain compliance
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.