The European General Data Protection Regulation (GDPR) came into effect from 25 May 2018. This regulation brings with it a new set of challenges for blockchain companies. Think of it this way - GDPR is like an iceberg floating in the sea.
It can be catastrophic to businesses if they are not aware of it. To give you the scale of damage that this negligence can do, the penalties of not adhering to GDPR go up to 4% of annual global turnover or €20 Million. Now that should be enough for businesses, especially those in Europe, to sit up and take notice.
In this blog we will answer two key questions relating to the iceberg of GDPR:
1. What are the most challenging obstacles for blockchain companies in regards to GDPR and;
2. How to navigate the company’s blockchain ship safely in GDPR iceberg areas.
Scale of the Iceberg - and is there a safe zone?
There is a common misunderstanding that GDPR only focuses on EU residents or citizens. The regulation actually refers to data subjects as “an identifiable natural person” (Art. 4 GDPR). Therefore it could someone who is a EU citizen, but it could also be a New Zealander working in a European country.
The question is then, when does a company need to be GDPR compliant?
A company needs to be GDPR compliant if it has an establishment in the European Union. This is regardless of whether the processing takes place in the EU, or if the company is offering goods or services to data subjects in the EU, or monitors behaviour of data subjects (Art. 3 GDPR).
Here’s an example; A New Zealand blockchain company offering and advertising their services in German language and having German customers is obviously offering their service to data subjects in the EU. Therefore, it needs to be GDPR compliant.
As so, a blockchain company should be quite aware where in the sea they steer their blockchain ship. Of course there are options to totally avoid the GDPR iceberg by strictly avoiding oceans with icebergs (e.g. the European economic area), but there could be still areas that are not 100% clear.
Challenge #1 - Personal data: The polar bear of the GDPR iceberg.
Personal data is like the polar bear that feels safe on ice, but what is actually personal data and how do we define it?
According to GDPR “personal data means any information relating to an identified or identifiable natural person (data subject)” (Art. 4 GDPR). Examples of personal data that help identify a data subject directly or indirectly are not only names and addresses, but also identification numbers. Based on this definition, a crypto wallet address or public key are defined as personal information in the blockchain world.
Now let’s look at personal information such as names or email addresses that have been one-way hashed and stored on the blockchain. These need to be differentiated between pseudonymisation and anonymisation. Pseudonymisation allows the re-identification of personal data, that would not be possible with anonymisation. Therefore, anonymised data falls outside the scope of GDPR, but pseudonymised personal data does not. According to the Article 29 Data Protection Working Party of the European Commission, the one-way encryption mechanisms is considered a pseudonymisation technique and not as anonymisation. Therefore, values of one-way hashed personal data stored on the blockchain are still personal data.
Challenge # 2 - Rights of data subjects
GDPR gives data subjects fundamental rights for their data privacy. Some of them are easier to implement in the blockchain environment, such as the right to access while other rights are more challenging like the right to restriction of processing.
The most challenging is probably the right to be forgotten and erasure. “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” (Art. 17 GDPR).
Furthermore, the company has the obligation to erase personal data without undue delay if the personal data is no longer necessary in relation to the purposes, or the data subject withdraws consent.
Given the immutable nature of blockchain technology, it would be very difficult to delete personal data from the blockchain. Please bear in mind that the value of one-way hashed personal data still counts as personal data and doesn’t address the problem. There are different approaches for this problem that range from making the data inaccessible, up to patented technology solutions. A solution with a lower risk would be to store personal data ‘off chain’, in other words store it outside the blockchain. One can hope that the European Commission publish an official statement about blockchain technology and GDPR.
Another important aspect of GDPR is the consent from data subjects. “A ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes […] to the processing of personal data relating to him or her” (Art. 4 GDPR). An example of when consent won’t be required, is if processing is necessary for the performance of a contract or for compliance with a legal obligation to which the data subject is part of it (refer to Art. 6 GDPR). A consent should be in an intelligible and easily accessible form, using clear and plain language. Furthermore, the European Commission published a guideline for consents. A blockchain company (especially) should ensure that consent was given from the subject, and is documented if personal data will be accessed or processed by third parties.
The rights mentioned above are only some of the rights defined in the GDPR. For the complete list see chapter 3 of the GDPR.
One clear requirement is to report personal data breaches within 72 hours to the local authority and the data subject. There are also other GDPR requirements that might need to be addressed by a blockchain company. For instance, a Data Protection Officer of the company needs to be appointed. In addition to these, a Data Protection Impact Assessment (for instance) is required where “processing […], is likely to result in a high risk to the rights and freedoms of natural persons” (Art. 35 GDPR). For example, if a Blockchain company is using systematic and extensive profiling and automated decision-making. Furthermore it might be required to designate a representative in the EU of the company (refer to Art. 27 GDPR).
Getting ready for the GDPR iceberg
Becoming GDPR compliant starts with a journey, and never ends as a continuous process of staying GDPR compliant. The following steps are a starting point for the journey:
1. Raise Awareness about GDPR within the company
2. Assign Responsibilities and start with a checklist or get external experts
3. Assess the current state of the companies GDPR and privacy compliance
4. Identify the required steps and processes
5. Implement the action points and processes (incl. ongoing monitoring)
6. Communicate updates about the company’s GDPR compliance internally and externally
Once the blockchain company is GDPR compliant, it actually makes the blockchain ship even stronger and the company is able to cruise forward safely.
SingleSource is an example of a GDPR compliant blockchain-based identity service. The company helps users to manage their personal data and their digital identity by giving privacy back to the user. Only the user has full visibility of their own data and no personal data will be stored on the blockchain. The SingleSource ecosystem is designed in a way that the user decides what data will be shared to other parties, to who the data will be shared and when it will shared. The user explicitly gives consent for each disclosure.
For a full description of how SingleSource works for individuals and organisations, download a free copy of the white paper here.