TrustED is GDPR-compliant!

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It addresses the export of personal data outside the EU and EEA areas thus affecting almost every company operating worldwide.

Introduced on May 25th 2018, the law is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR significantly strengthens a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real power, with the maximum fine reaching the higher of €20m or 4% of the company’s global turnover.

GDPR requires:

• Personal data must be collected with clear consent (goodbye to annoying pre-ticked boxes on sign-up forms).
• Companies are required to provide an individual with the lawful basis of processing his/her personal data.
• Individuals, in some circumstances, will have the right to be forgotten (which means clearing data trail with a company).
• Individuals can request a copy of their personal data, free of charge and, in most circumstances, will be supplied within one month.

How does it work with TrustED?

TrustED platform is the data processor — a storage mechanism, helping universities — the data controllers — to deposit their collected information (with a given consent). If the student claims the data, he or she automatically becomes data controller. TrustED ensures that mechanisms are in place to guarantee the deletion of data and provide audit trails of information about an individual to that individual.

When the universities upload the data, the student is invited to sign up on the TrustED platform and claim it. Thus, he becomes the only owner of the data with the ability to erase it. If the student doesn’t claim the data, then the university gets the full authority and a right to remove it if necessary.

What about 3rd parties?

The primary use case for TrustED is to provide a blockchain-based analogue of a paper certificate. It is the owner of the certificate who is essentially providing it to a potential employer or any other third party. An employer searching for a credential of an employee and getting that information, is still GDPR-compliant because the search and request to view the verified certificate can only be conducted if the student has claimed the credential, or uploaded it personally. If not, the data is still on the chain, but cannot be requested to be viewed. However, the universities still have the ability to use TrustED as their storage mechanism for the data with GDPR compliance mechanisms in place.