Blockchain and other emerging distributed ledger technologies offer the promise of increased security, transparency and resilience based on the use of distributed, immutable records.

At the same time, the European Union General Data Protection Regulation (GDPR), which takes effect May 25, 2018, governs the use and protection of personal data collected from or about any European Union resident. Personal data is defined very broadly and includes any information relating to an identified or identifiable natural person. Under current EU legal interpretations, this includes encrypted or hashed personal data as well as public cryptographic keys that can be tied to a private individual.

The penalties for failing to comply with the GDPR are harsh including fines of up to the greater of €20 million or 4% of a company’s annual worldwide revenue.

The GDPR: Centralized, Restricted and Removable

The GDPR was developed based on an assumption that collected personal data would be controlled by an identifiable data controller and processed by the data controller or by a finite number of identifiable data processors and sub-processors. In order to protect the use of personal data, data controllers and processors must control who accesses the personal data, where and to whom it is transferred, and by whom it is accessed.

The GDPR gives EU residents enforceable rights with respect to their personal data, including:

  • the right to erasure of personal data when the personal data is no longer needed for the purpose for which it was collected, when the individual withdraws consent, or when continued processing of the data is unlawful;
  • the right to require correction of incorrect data; and
  • the right to restrict processing when the data accuracy is contested, when processing is no longer necessary, or when the individual objects.

These rights are understandable in the context of a (Read more...)