The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It applies to all companies that collect and process data belonging to the European Union (EU) citizens. It also addresses the export of personal data outside of the EU. GDPR aims principally to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR was adopted on April 14th, 2016 and after a two-year transition period, becomes enforceable on May 25th, 2018. GDPR replaced the Data Protection Act 1998, which was essentially a set of minimum required standards.
The goal of the regulation is to give consumers greater protection, control and transparency as it relates to the personal data companies are collecting, processing, sharing and storing.
Following the compliance requirement on May 25th of this year, there were those who speculated that Blockchain or distributed ledger technology (DLT) would conflict with GDPR requirements. This disagreement centered primarily along the narrative of:
- Open nature of data: Open or permission-less blockchains (i.e., Bitcoin, Ethereum, etc.) contains and maintains the complete history of information since inception;
- Immutability of data: Distributed ledgers allow information to be added to, but information on the Blockchain cannot be modified or otherwise deleted, otherwise known as append-only;
- Blockchain as a primary database: Misconceptions also arose from those that hold the view that Blockchain applications serve as the primary database.
An updated understanding of Blockchain is clearly required given the arrival of GDPR coupled with the widespread adoption of Blockchain and distributed ledger technologies. When deployed properly, and designed with privacy in mind, we view Blockchain as a means to achieving GDPR compliance on various fronts.
On-chain vs. Off-chain
To preserve privacy, confidential and personal information should be kept off-chain and siloed in a data store.
The only information that is on-chain will be the one-way cryptographic hash of the meta-data. This achieves immutability, consensus with a complete history of the data without exposing the data to outside parties.
Right of Erasure
A company that needs to comply with GDPR’s “right to erasure” can be presented with challenges. Again, keeping personal information in a dedicated data store is the best path to follow. With this technique, personal data can be easily deleted. Further, there is a complete and immutable history of the consent and subsequent information handling activities, including erasure, to demonstrated GDPR compliance.
Personal Information Processing & Consent
Under GDPR, the processing of personal information is only permissible if there is a lawful basis and consent has been obtained from the data subject. The data handler must ensure that has valid consent (freely given, specific, explicit and informed) of the data subjects before processing their data. This is an enormous and challenging task which will become much more difficult than it has historically been. Blockchain affords the ability to manage, track and most importantly, prove consent activities while removing the single point of failure of traditional systems which are prone to siloed, outdated and non-verifiable and untrustworthy information.
Data Controller Compliance
Under GDPR, the controller of data must be able to document and demonstrate compliance. By implementing an immutable, transparent and trustworthy ledger of system activities, record keeping, and associated compliance activities will be significantly improved. Provenance tracking is greatly improved as the current state, and all changes that have ever been to information made are current, tracked and verifiable.
How ULedger Solutions Assist GDPR Compliance
- Personal Data Processing
Maintain control and transparency with a complete history of all transactions relating to personal data
- Right to be Forgotten
Prove through an immutable history log that data erasure requests have been satisfied
Track consent responsibilities with an immutable history log
- Data Portability
Prove data transmissions requests occurred on request
- Breach Notification
ULedger data log tampering notifications provide detections as to when data logs have been compromised
- Privacy by Design
Prove that data processing was only for intended business purposes and that access was appropriate
- Access Rights
Transparency into the collection, processing, and transmission of personal data coupled with the ability to prove through an immutable history log
- Data Protection
Keeps the data protection responsibilities with the Data Protection Officer (DPO), Provides tools to protect personal data from misuse, unauthorized access, and other security breaches