Blockchain and GDPR: What Online Retailers Need to Know
Have you heard about GDPR?
Maybe you have?
Since 2017, European governments, government agencies, and businesses with an interest in promoting GDPR-related webinars, articles, talks and other services have been talking about this change in data protection legislation almost non-stop.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and this impacts every organisation that collects, processes and transfers consumer data within the EU and European Economic Area. Even the UK, which should be leaving the EU in the next two years after going through its ‘Brexit’ process, will comply with GDPR.
What is GDPR?
Some headlines surrounding this talk about the scary new, much larger fines (than under current national data protection laws). Organisations that suffer a data breach might have to pay up to 4 percent of turnover, or €20 million, whichever sum is greater. Even if you aren’t based in Europe: Companies that have customers, or process data through the EU, need to maintain compliance with GDPR.
Unfortunately, fines aren’t the only issue, and they aren’t what e-commerce retailers should focus on. Consumers, known as ‘data subjects’ under the new law, have greater protections and are allowed to access their data more easily. Organisations collecting, processing and safeguarding that data need to do more to protect it to prevent data theft.
Although the fines have got everyone’s attention, the real priority is to ensure that data is more efficiently protected. If you are already taking proactive steps to ask web visitors and customers for permission to use their data, and encrypt and store it securely, then maintaining compliance with the new law shouldn’t involve that much extra effort.
E-commerce companies need to pick their partners and suppliers with care. If a supplier handling email campaigns suffers a breach and your customer’s data is stolen, used, or sold online, your company will shoulder most if not all of the blame. Under GDPR, you can’t pass the buck and mitigate responsibility and risk.
Will this impact Blockchain companies?
Yes, it will.
Blockchain products and services that collect, store, process and transfer consumer data are still, at the end of the day, handing consumers personal information.
Michèle Finck, a Senior Research Fellow of EU Law at Keble College, University of Oxford, says in an article that “It is well-established that data that has been encrypted or hashed still qualifies as personal data under EU law as it is merely pseudonymized, not irreversibly anonymised.” He goes on to say that “As a consequence, the cryptographically modified data stored on a distributed ledger, in addition to public keys, are subject to the GDPR.”
Data subjects have exactly the same rights as others who’s information is stored on traditional databases. Including the ‘right to be forgotten’, and have data removed from a blockchain, which might be difficult to implement at present. Something that companies in this sector are going to have to look into and resolve, soon. Other GDPR issues that blockchain companies will struggle with include identifying the ‘data controller.’
Maintaining compliance with GDPR means ensuring you can explain to the government agency responsible in your country who has legal control of the data (e.g. the ICO in the UK), how consumers can access it, and how you can delete their data, if requested. At a minimum, companies need to know how to answer these questions, should they get asked, and since many of these projects are relatively new and gaining some attention, they might get asked sooner rather than later.
When laws catch up to technology innovations — as is the case with GDPR — businesses and tech firms have a duty to ensure they’ve future-proofed even the most futuristic innovations, to ensure consumers and companies are completely protected. With our secure authentication through trusted third-party platforms, such as Facebook, and opt-in features for consumers (via retail partners), we are confident BitRewards maintains compliance in Europe while providing high levels of security for customers and e-commerce companies.