Get Ready For General Data Protection Regulation (GDPR) With Blockchain

GDPR, short for General Data Protection Regulation, becomes a law on 25th of May, 2018. Since the amount of data breaches has been increasing in the recent years, new laws have had to be made in order to keep the citizens of the EU safe from identity thefts. The new regulation tightens up the existing laws on data protection and gathering of personal information.

This means that all organisations that deal with EU citizens’ personal data have to review and make sure that this information is managed according to the European law and policies. This doesn’t only apply to organizations located within EU, but to all of the organizations that have the data of EU citizens.

Personal information is any information that can be used to identify a person, including pictures, names, dates of birth, emails, phone numbers, bank details, medical records, etc.

If an organizations fails to change their record keeping systems to meet the recommendations of the law, then the possible fine for breaching GDPR is up to 4% of the organisation’s annual global turnover or €20 million.

This penalty applies to both data controllers and data processors. The data controller is the party that creates the rules, the purpose and conditions of data collecting and processing (for example, a company), and the data processor is the party that stores and processes the data (data storage).

In short, the main changes in the laws are:

• Larger territorial jurisdiction – this law applies to every company that deals with information about EU citizens, no matter where the location of the company may be. • Penalty for non-compliance – organizations can be fined up to 4% of the organisation’s annual global turnover or €20 million for breaching the regulation
• Consent – the terms and conditions are strengthened and no longer can be full of legalese. The request for consent has to be clear, in plain language, easily accessible and distinguishable from other matters, with the purpose of data processing attached. The consent must be as easy to withdraw as it is to give.
• Clarity – Organisations have to state clearly why they require certain information, the information has to be collected for specified purposes, kept secure, correct and, up-to-date, and it shouldn’t be kept for longer than necessary.
• Breach notifications – organisations are obliged to notify a breach in the system to a local Information Commissioner and their clients within 72 hours of first discovering the breach.
• Right to access – people whose data is processed have the right to know where, how and for what their information is used. The organisation has to provide this information for the customer for free and he/she can transmit this information to another organisation.
• Right to be forgotten – people whose data is processed have the right of having their information erased from the system unless there are legal reasons or it’s in the public interest to store the data.
• Privacy by Design and Data Protection Officers – organisations have to prioritize the security of their data bases from the ground up and have to assign Data Protection Officers who make sure that data is held safely and will notify officials in case of a breach.

The reason this regulation was made was that there have been more and more cases of breaches in large databases that hold people’s personal information, leaving them susceptible to identity theft.

A lot of these breaches could have been prevented with the use of decentralized and distributed databases – in other words, the blockchain. Blockchain technology was created for the exact reason of keeping personal data safe and secure. Blockchain technology uses networks of computers that all work together to store and validate information, creating a decentralized database. If one of the computers on the network crashes, then nothing happens to the information, because there are still many computers that hold the same data.

The information stored on the blockchain is cryptographically encrypted. The encrypted messages can only be decrypted with specific keys, and without the correct key it is practically impossible to decrypt the data. Decryption via brute force attacks, by guessing every possible answer, would take millions of years.

The data stored on the blockchain is also transparent and public with the use of hashing. This mathematical function makes it possible to validate whether a document is correct and unaltered or not without having to see the content. These hashes can be verified by everybody participating in the network. This ensures that the data isn’t corrupted, while keeping the message and the owner anonymous.

These properties can be implemented to any business, government organisation or NGO, making their services more secure and reliable. Blockchain as a Service (BAAS) is meant to provide organisations with improved security, transparency, trust and traceability in the face of decentralization, making their organisation and data less susceptible to hacks and data breaches.

• Businesses can move their record keeping onto the blockchain in order to keep the personal information of their customers and employees safe and secure;
• Health records can be stored on the blockchain without the fear of losing them or having them stolen;
• Access to personal information can be accurately shared, without unwanted third parties being able to access that data;
• Ownership of a property or a document can be proved in seconds, without revealing the content inside;

The General Data Protection Regulation is coming and organizations have to make sure that their data processing protocols are up-to-date with the new laws. Personal data has to be kept secure and the best approach in doing so would be to utilize blockchain technology. The combination of cryptography and decentralization is the ultimate way to keep data protected, and keep in line with the rules and upcoming legislation.