The General Data Protection Regulation (GDPR), a sweeping and stringent European Union (EU) wide legal framework for personal data privacy, became effective on May 25. Ready or not, this framework is going to drastically transform the business of any digital venture. The International Association of Privacy Professionals (IAPP) forecast that at least 75,000 privacy jobs will be created as a result, and that Fortune’s Global 500 companies will spend close to $8 bln in order to ensure they are compliant with the GDPR. But what does this mean for the blockchain?
The GDPR’s goals are: to create a uniform data regulation framework within Europe, and to strengthen individuals’ control over the storage and use of their personal data. It was adopted in 2016, and after a two-year transition period, is now in force.
Obligations and rights
The GDPR introduces new procedural and organizational obligations for “data processors” – including corporate as well as public entities, and gives more rights to “data subjects” – the term it uses for individuals.
Public and private organizations, when left to themselves, tend to accumulate data even before knowing what they will do with it, sort of “gold rush” in personal data acquisition. The GDPR goes against this habit by specifying that data processors should not collect data beyond what is directly useful to their immediate interaction with consumers. In effect, the data harvest should be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed” (Article 39 of the GDPR).
Besides setting out what is or isn’t allowed, the GDPR also specifies organizational guidelines that data processors will need to adopt from now on. For instance, their technological architecture will have to erase by default consumer data after using it – “privacy by design”.
Secondly, any entity considered to be a “data nexus” will be required to have a Data Protection Officer (DPO) responsible for managing compliance with the GDPR. This DPO will be under the legal obligation to alert the supervisory authority whenever a risk to data subject’s privacy arises (Article 33).
Data subjects, on the other hand, will be better informed on how their private data is stored and processed (Article 15). They will, for instance, have the right to ask for a copy of the information companies held about them. Furthermore, data processors have to inform the data subjects in details about the processing of the data, and how it is shared or acquired.
Besides transparency, the GDPR provides citizens more control on how their data is used. Article 17 lists conditions under which they will be able to request the deletion of their data from business databases, or the so called “right of erasure”.