Blockchain and GDPR

The European General Data Protection Regulation (GDPR) is set to become active on May 25, 2018. The GDPR replaces the 20-year old Data Protection Directive 95/46/EC and mandates how the personal data of EU citizens can be managed and processed. This regulation is designed to not only improve the security and privacy of personal data in the EU but to return the control and management of personal data and identities to the individual.

While the GDPR affects both physical and digital identity management, it includes a number of provisions on personal data management that affect digital identity governance and emphasize individual control over one’s own data.

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Right to Access

Article 15 of the regulation stipulates that an individual has the right to understand who has access to their personal data, What information is an individual entitled to under the GDPR?

Under the GDPR, individuals will have the right to obtain:

confirmation that their data is being processed;

access to their personal data; and

other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).

These are similar to existing subject access rights under the DPA.what data has been made available and how that data is being used or processed. In addition, the individual must be able to obtain, on demand and with no charge, a copy of the digital information undergoing processing.

Right to Rectification

When should personal data be rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

Right to be Forgotten

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Right to Restrict Processing

Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.

Right to automated decision making and profiling

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.

Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

Today, an individual’s identity is managed through distinct controllers and processors. The language in the regulation talks about how each of those disparate, siloed systems must provide access, consent management, erasure and portability to the user. The user must be able to take their identity from one place to another, grant access as they see fit, rescind it at will, and be ensured that only the minimum amount of information needed is used. Each organization managing data for the individual bears the responsibility for upholding those rights.

But, what if the onus of personal data stewardship wasn’t on the controller and processor at all, but instead, given to the individual?

If that were the case, the individual wouldn’t need to rely on a controller, issuer or processor to adhere to regulation to obtain, copy, move, transmit or secure their data. The individual would own it and they would control access. This is where blockchain gets really interesting.

In order for an individual to manage their own data they alone need to have complete access, the data must be trusted by third parties as valid (so that it can be used as easily as any physical identifier), and they need a way to grant and rescind scoped access. With blockchain, we have a distributed ledger technology, meant to provide information that no distinct entity controls or manages. Because blockchain utilizes a decentralized network of peers, where the history and current validity is publically auditable, it becomes a neutral, trusted and secure mechanism for self-managed user identity.

By placing both a data storage layer and a key/secret or some other access grant mechanism on top of it, an individual can not only securely store their data, but can now grant and rescind access to processors as needed. Likewise, issuers like trusted governments or licensing agencies, can add identity information to an individual’s blockchain record as permitted or requested by the individual.

Together, the GDPR and blockchain advocates point to the same thing – the need to fundamentally change the way in which personal data is managed. Both from a principle and practical perspective, the status quo of disparate identity stores managed by social networks, banks, governments and individual websites needs to shift to grant the individual sovereignty over their data. From the perspective of principle, the #individual has an innate right to the information that comprises who they are. From a practical perspective, a single, trusted, portable source of personal data, managed and leveraged by the individual, allows every data issuer and processor a consistent, efficient way to interact with an individual’s digital identity. As both the concept of self-sovereignty and regulation around user control grow, it’s clear that the age of the user is arriving, and the future of digital identity will hinge on technology that best facilitates the right of an individual to own and manage their identity.