The European Union agreed to General Data Protection Regulation (GDPR) in April of 2016 and put it into effect on May 25th of 2018. Blockchain-based projects operating in the EU are not exempt from GDPR, so understanding the regulation and its implications is important for all of us.
What is GDPR?
GDPR is an update to the 1995 data protection directive that grants consumers increased control over the way their personal data is used. Any business that uses personal data, operating in the EU, will be subject to the GDPR, as well as any business that processes personal data of individuals residing in the EU. Thus, any business worldwide may be within the scope of the GDPR (e.g. A US-based retailer and only sell to US customers but an EU resident signs up for a newsletter using a gmail address. How that-US based retailer uses that EU resident data will be within the scope of GDPR regardless of whether that retailer knows that user is from the EU).
The biggest impacts of GDPR will be felt by tech giants like Amazon, Apple, Google, and Facebook whose business models revolve almost entirely around the collection of personal data and repurposing of said data for targeting consumers in ad campaigns. At the same time, smaller businesses may be less equipped to absorb the sizeable fines of €20 Million or 4% of annual global turnover for breaching the regulation. Additionally, 3rd party data providers, such as consumer credit reporting agencies, will also be impacted since businesses who buy data to enhance customer targeting. They will need to be very careful about whether or not the data they purchase has been obtained with willful consent. Tech startups should pay particular attention to the regulation’s requirements, especially as they grow to more than 250 employees and more of the standards apply.
Why does GDPR matter to Blockchain-based projects?
Most projects developing Blockchain-based solutions are also internet companies. Whether a big corporation or a new start-up, GDPR will apply if the business operates in the EU and/or serves EU citizens. When it comes to meeting requirements, businesses will need to explicitly ask permission from consumers to use their data for a specified purpose in the form of an opt-in. This data must then be used in a relevant way, within a timely manner, and be kept secure. Businesses will need to prove that they have acquired permission from the consumer and used their data in a timely manner with accordance to the agreement. Therefore, it will be necessary to implement effective tracking mechanisms that will enable them to demonstrate that they are in compliance.
The initial consent and opt-in is very straightforward as it pertains to GDPR. Where it gets tricky is when the consumer opts-out. When the EU consumer opts-out, the “right to be forgotten” provision kicks in and requires the data controller and data processor to delete all data of that individual in all systems. To add more complexity, if a businesses has a complicated data ecosystem that includes integrations with 3rd party vendors or SaaS solutions, the onus is on the business as the data controller to ensure all data processors (typically 3rd parties) also remove that data from their systems. Under GDPR, it will not be enough to simply alert and provide notice to a 3rd party to remove that data.
Blockchain technology is well known for its secure data tracking capabilities, and is therefore, being considered by many online businesses as part of a solution for how to meet requirements and prove compliance. Some members of the Blockchain community have rung warning bells that GDPR is antithetical to the spirit of blockchain technology because GDPR includes “the right to be forgotten” and Blockchain is heralded for its immutability (once recorded, transactions cannot be deleted from a blockchain ledger). Though I certainly understand such concerns, I don’t think anyone is advocating for sensitive, personally identifiable information (PII) being stored on a public ledger or private Blockchains. In this case, Blockchain technology can act as a connector of systems and databases. The PII can be stored in traditional databases or “off chain” while a hash referring to the PII is recorded on the blockchain itself. In this fashion, PII could be easily deleted upon consumer request in a company’s single or interconnected system architecture, even though the hash (meaningless absent the off-chain data) would remain on the Blockchain.
Though the GDPR only applies to EU businesses or any business that processes EU citizens data, the nature of the internet means that many businesses based outside of Europe will need to adopt the new consumer data protection standards. The EU may be breaking new ground in passing regulations to fit the information era, but it’s only a matter of time before other nations follow suit. Fallout from Facebook’s Cambridge Analytical scandal is driving more visibility and pressure around how data is collected is used in the US. Perhaps the imminence of GDPR will inspire governments, businesses, and consumers alike to care more about the value of online data and consider novel approaches to protecting consumers’ rights to their information.