The European Union’s General Data Protection Regulation (“GDPR“) will take effect in a few days on May 25, 2018 and will require businesses that process EU citizen’s data to allow for increased privacy protections. Among the important changes is the right of erasure, also known as the “right to be forgotten” or the right to permanently delete user data, the right to data portability (where those who have provided personal data to a service provider may required the provider to “port” the data to another provider) and the right to object to profiling (the right not to be subject to a decision based solely on automated processing).
The GDPR aims to protect data privacy, which includes: name, address, contact details, biometric data, racial/ethnic data, political opinion, web IP Address, Cookie data, location, and more.
Organizations found not to be compliant with new regulations may be fined for misuse, exploitation, mishandling of personal information and more–for example, companies suffering a data breach much notify its customers within 72 hours of learning about it, or risk penalty.
Companies are encouraged to update their Terms of Services and Privacy Policies to include:
- Additional focus on controlling personal data;
- Transparency and control over sharing personal data with other businesses (business partners);
- As well as clarity on how data is shared to prevent harm, comply with laws and serve public interest.
What companies fall under the GDPR?
- Companies that store or control EU citizen data, no matter whether the company is within the bounds of the EU are susceptible to GDPR regulations.
- Companies with more that 250 employees.
- Companies with less than 250 employees, but data processing systems that may affect European residents.
What changes must businesses implement?
According to Systweak.com, companies must adopt various approaches, such as:
- Making sure there is a secure place to store sensitive data as well as the encryption of data.
- Making sure any service providers used are also in compliance with GDPR.
- Reporting information to the Information Commissioner’s Office (“ICO“), if a breach happens (within the 72 hour period).
- Be up-to-date as questions arise and people become more aware of their privacy rights.
- Appoint a Data Privacy Officer (“DPO“) that can insure compliance and protection without a conflict of interest.
- Revise and update your data protection plan so that it aligns with the GDPR requirements.
- GDPR allows users complete transparency in an effort to avoid situations similar to Cambridge Analytica’s misuse of Facebook user’s data. As such, users may request companies to correct, or delete their data and such request must be timely honored.
- This site also provides a helpful tool for companies.
How will the GDPR affect Blockchain technology?
The right to be forgotten poses a challenge for blockchain implementation because blockchains are essentially designed to last in perpetuity (forever). Its fundamental element is “hashing,” which means that the data stored may not be reverse-engineered or changed. This allows for a reference to previous blocks and the inability to alter them at the risk of altering the entire chain. Venturebeat.com offers a possible solution to this challenge through encryption.
“Encrypting all personal data with a key and deleting the key in response to a request for erasure would render the data inaccessible to anyone, which in layman’s terms is the same as deletion. However, GDPR does not define what it means to “erase” something, so in the absence of a definition, legal conformity tends to be to revert to the literal reading of a word.”
GDPR does not prohibit blockchain, but it does pose some procedural requirements. Since the technology is still in its early stages, it is likely that GDPR-compliant blockchain enterprises will begin to commercialize. Already companies like Microsoft and Intel have joined GDPR Edge, a distributed ledger blockchain solution platform to provide technology support. A representative for the platform said:
“This centralized repository can be made available to data protection authorities, auditors and data governance professionals, as well as any other data collector or processor, meaning increased accountability, information transparency, accuracy, efficiency and auditability.”
While it is true that modifying data on the blockchain is very hard and many are under the opinion that the GDPR is incompatible with blockchain technology, there will be an array of viable solutions as the GDPR goes into effect in addition to guidance on a happy medium between the two.
More resources for GDPR & the blockchain: