Skip to content

Instantly share code, notes, and snippets.

@vikpande

vikpande/GDPR_Blockchain.md

Last active December 10, 2018 12:52
Show Gist options
  • Save vikpande/acb15cdad2782ae03bad46e4634cca0f to your computer and use it in GitHub Desktop.
Save vikpande/acb15cdad2782ae03bad46e4634cca0f to your computer and use it in GitHub Desktop.
Download ZIP
GDPR considerations for a Blockchain app (permission-less & public)
Raw
GDPR_Blockchain.md

GDPR & blockchain for permission-less & public

3 main areas to address

  • Identification of the data controller & data processor
  • Annonymizing the personal data
  • Data subject can exercise certain data subject rights
    • For e.g. Erase data at certain point of time

Data controller or processor - activities ( roles of various participants )

  • Protocol developer (regular developer)
    • Processor of data (Developer)
    • Doesn’t decide how to use the protocol
    • Doesn’t prescribe not to deal with personal data
  • Validating nodes (Actor who run BC protocol on their computers)
    • Not qualify as controller
    • Is mostly debated ( since they help to evolve the platform)
  • Network users ( individuals who post a transaction on BC and submit personal data on BC)
    • If they do it as a part of business activity - Yes, controller
    • Individual- for buying and selling crypto assets ( not a controller). Household exception

Data

  • Personal data - privacy rules are applied. Any information relating to a natural person. Directly or indirect re-linkable ( including public key reference/metadata from a diff source). E.g. Public key, address ( network ; others), reversible encrypted data, hashed personal data ( ID card, medical record) but is debatable.
  • Anonymous data - privacy rules are not applied. Its not possible to link the information get information about a natural person. Its also not possible to reverse the data that is in an annonymised form.

Possible solutions ( how to anonymise)-

  • Multi layer blockchain design
  • Zero knowledge proof
  • Mechanism where public keys are not published
  • Unique hashes for every transactions
  • Development of techniques that are quantum resistant.

GDPR principles and right of data subjects

  • Lawfulness of processing ( data processed in a lawful manner for which the user has approved)
    • Solution - Participants agrees to terms & conditions
  • Data minimisation & storage limitation
    • Data submitted and processed until the user allowed to share
  • Right to erase
    • Controller should delete the information after a certain time or based on request
  • Right of Access
    • Ask controller what he is doing the data of the user and for what purpose
  • Automated processing
    • Right to know what data is being processed and for what . Right to process information with human intervention
  • Territoriality
    • Rules about transferring data outside Europe are met ( based on EU commission)
    • EU model classes . Safeguard in some way to meet the EU model classes
  • Data protection by design and by default
    • Privacy principles ( tools, code, settings, platform )
    • Standards to meet for e.g. GDPR compliant protocol standard. Recommendations -
  • Introduce Governance rules/terms and conditions in the solution.
  • Perform data protection impact assessment about your solution . Obligation of the data controller
  • Accountability duty GDPR - document measures taken to secure personal data . Document advantages of BC for data subjects for accuracy, security and control
  • Use BC network to store immutable proofs that certain data exists, encrypt off chain personal data
  • Develop a privacy standard to set minimal requirements for GDPR/ protocols - Legal + Dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment