The GDPR was created to “regulate” the management of privacy linked to the use of user data on the web, apps and social media by web and media companies who are trying to build their competitive advantage on user profiling. The GDPR can be “interpreted” as a “digital rights charter” of people.
The possible relationships between GDPR and blockchain
The GDPR regulation impacts on a number of areas that relate to the specific characteristics of the Blockchain:
Data access and visibility – The data entered in the blockchain are public and accessible by anyone participating in the chain
Data deletion – the data stored in a blockchain are tamper-proof, therefore their deletion will not be possible once such data is entered in the distributed chain;
Data immutability over time – the data present in the blockchain are kept unlimited and cannot be modified, tampered with or deleted.
Distributed data control – blockchain are distributed therefore control over data cannot be centralized and it is the responsibility of all participants in the blockchain (it is difficult to identify the Data Protection Officer figures required by the GDPR);
Automated decision-making processes – with Smart Contracts, automated decision-making processes or a new type of data management must also be considered
Blockchain and GDPR for a Security by Design
Blockchain and GDPR allow creating “security by design” solutions ensuring pseudonymisation (decoupling of data from individual identity) and data minimization (sharing only the data points absolutely necessary).
With this setting it is impossible to reconstruct the contents of a transaction from the one- way cryptographic hash. And unless one of the parties to the transaction decides to link a public key to a known identity, it is not possible to map and link transactions to individuals or organizations. This means that even if the blockchain is “public” (where anyone can see all the transactions on it), no personal information is made public.
Blockchain, GDPR and legislative issues
The GDPR introduces some rules that may not always be respected by blockchain.
GDPR and Data Protection Officer – The GDPR introduces the figure of the DPO – Data Protection Officer, an expert in data protection legislation and practices who must assist the person who controls or manages them in order to verify internal compliance with the regulation . The DPO must be a person with a good command of IT processes, data security and other business coherence issues regarding the maintenance and processing of personal and sensitive data.
“When is it necessary to appoint a personal data controller? In the GDPR, the controller must be appointed in the event that the main processing activities require regular and systematic monitoring of data subjects on a large scale, if the activities include the large-scale processing of particular categories of personal data or of data relating to criminal convictions and offenses, again when the treatment is carried out by a public authority or by a public body. “
Which jurisdiction to apply for the law of which country – In the event of disputes, which laws must be applied and how it all began? You can follow trustpedia to read more about crypto.
In a blockchain (especially if it is public) data is kept on each node of the network – publicly accessible to anyone – regardless of the original purpose for which that data was entered and processed in the blockchain. How does this typical blockchain feature fit into a regulatory context that requires that the specific purposes for which personal data are processed must be specified, explicit and legitimate and that personal data must be adequate, relevant and limited to the purposes for which are treated.
The identity of a user (and therefore his sensitive data) is protected by a code that represents the public key to join the distributed network. From a regulatory point of view, it is necessary to understand what constitutes “personal data” in a blockchain context: must public keys be considered personal data? Although a public key appears as pseudonymised data, these do not represent anonymous data and are very often associated with specific natural persons.
Therefore, it is also necessary to deal with legislation on how to manage the “right to be forgotten” issue within a blockchain.