Blockchain and the General Data Protection Regulation (GDPR) Enactment
In April of 2016, the European Union replaced an earlier rule--the Data Protection Directive--with a newer, more comprehensive set of rules. This new document, which is called the General Data Protection Regulation (GDPR), goes live on 27 May 2018.
You may be wondering why you should care. Anyone doing business with people who live in the European Union will need to meet the Data Privacy requirements of this legislation or receive hefty fines--€20M/$23.5M US or up to 4 percent of annual worldwide turnover [revenue].
With fines this hefty and regulatory process yet to be fully-ironed out, it comes as a pleasant surprise to many that blockchain will enable heretofore unavailable levels of privacy for those conducting business online. This may be that beacon-on-a-hill that will allow organizations sidestep the dangers of Data leakage, inherent in the traditional Internet financial transactions.
Blockchain technology includes the following benefits:
Transactions are peer-to-peer
Transactions are encrypted
Transactions are transparent to parties involved
Transactions are decentralized, so no hub awaiting a potential hack
Transactions do not need the sanctioning of 3rd party intermediaries
This article will discuss some of the basic data privacy rules contained in the GDPR document to give you a better understanding of what lies ahead.
GDPR Data Protection Basics
Under GDPR the individual is called the DATA SUBJECT. The data subject’s data includes the following list of information:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Anything required for a standard financial transaction online basically falls into this category.
To be lawful, any processing of data for the data subject must be by consent.
That includes the entering in of any contractual agreements. That’s not new but it will have to have clear wording that steps taken in a contract are at the request of the data subject.
A mandatory company controller--data privacy officer DPO--will be required to comply with all GDPR rules to ensure that the rights of the data subject or any natural person are protected.
Data-Subject Rights and Blockchain under GDPR
The right to erasure - the data subject has the right to request that their data be erased.
Since blockchain transactions hash and each block is encrypted, erasure becomes unnecessary. With each hash, a transaction is further encrypted.
Data portability - A person shall be able to transfer their personal data from one electronic database to another
With blockchain, people’s information does not have to be stored in a database for future use. Materials and other things are stored, but the only people able to identify parties within a transaction are those making the transaction. Because of the further layer of a smart contract, even the personal identity of those transacting is not necessary.
No accounting department or Salesforce CRM equivalent is needed.
Data protection by design and default - data privacy must be set high at default levels, and both technical and procedural measures must be taken by the controller to make sure that processing lifecycle maximizes security
Doing business on a global scale will be dramatically simplified through the privacy benefits of blockchain. It is telling indeed to see how financial and regulatory institutions are scrambling to find a place in the blockchain ecosystem.
The fact that IBM, Microsoft, and others are working so diligently to lead this transition should also be a tip-off. It will certainly be informative to watch.