How VeChain is tackling GDPR compliance

Compliance and security has always been one of VeChain’s top priorities when building products and solutions. While our mainnet has undergone security testing from multiple world class cybersecurity firms and developers, we have redoubled our efforts into making sure our products and internal controls comply with regulatory requirements worldwide. In fact, once we read about the GDPR proposal we knew it would be a regulatory task that we needed to critically analyze as a public blockchain protocol. Similarly to our Crypto Disaster Recovery Plan, we have gone above and beyond to align ourselves with the best consultants and experts to ensure our protocol can withstand compliance changes to maintain our clients and scope as we onboard our global clientele.

When the General Data Protection Regulation (GDPR) went into effect on May 25 2018, it quickly became a popular talking point for tech conferences and media coverage. And this is with good reason; among the existing data privacy protection laws, GDPR is rated as the most stringent regulation, with the broadest coverage on personal data privacy. The regulation not only aims to ensure the transparency of personal data processing and the effectiveness of personal data security, but also to empower the EU citizens to have better control over their own data. The regulators explicated the definition of personal data and the requirements of managing sensitive data, which now forces companies to improve their policies, procedures, and IT infrastructure as related to personal data privacy protection. Any company that offers products or services for EU citizens must be compliant with GDPR.

As VeChain aims for mass enterprise adoption, we started early in exploring the GDPR compliance of VeChain products and internal control environment. In fact VeChain has been preparing for the GDPR since early 2017. VeChain’s anti-counterfeiting and traceability blockchain solution has been used for commercial purpose by a French luxury brand since back in 2016. With the development of more and more commercial uses cases ultimately serving at end consumers, the ability to demonstrate the comply with relevant regulatory requirements including GDPR is a clear prerequisite to mass adoption of our platform.

There has been some discussion around how the GDPR fits within the context of public blockchain, considering the distributed and immutable nature of the technology. In general, GDPR compliance for commercial blockchain solutions is still uncharted territory. At first glance, one might think there is a direct contradiction between GDPR and public blockchains. However, the blockchain concept shares many goals with the GDPR. Through smart design of its architecture and application, blockchain technology can empower the decentralization of data control and mitigate the power inequality between centralized service providers and end users.

To explore the GDPR compliance for VeChain’s blockchain solutions, we have been working together with both a professional service firm and law firm to assess current practices, as well as develop a sustainable program for staying up to date with any new regulatory requirements as they come about. To this end, over the past 12 months VeChain has been working tirelessly through its internal technical team and the aforementioned external consultants. A phased approach has been followed for this process:

1. Assess the current state and determine applicability

We assessed current VeChain solutions that are used by enterprises, in both the development and conceptual stages, and clearly defined the roles and responsibilities for the areas that may collect or process Personal Identifiable Information (PII). In addition, data flow was mapped and documented to help understand the exposure and current security measures in place. In this way, we can determine the applicability of GDPR requirements based on VeChain’s role in the business model (data controller vs data processor).

2. Identify gaps and risks

Based on the output of the Phase 1, we performed a gap assessment against applicable GDPR requirements, as well as relevant cybersecurity regulations such as ISO27001, China Cybersecurity Law. The gap assessment followed a top down approach covering various areas including risk management, security and privacy policies/procedures, privacy by design SDLC process, encryption of data at rest and data in transit, security incident monitoring and response process, etc. The gaps identified have been assessed based on the risk exposure and level of efforts required to form a roadmap for remediation.

3. Remediate and enhance the compliance posture

During the past 12 months, we have been enhancing our products and internal control environments to be more secure and resilient to changing regulatory requirements and cybersecurity threats. Some of the achievements that have been accomplished are as follows:

  • Established a series of security and privacy policies aligned with ISO27001 standards, GDPR and China Cybersecurity Law
  • Defined the roles and responsibilities for the security and privacy such data protection officer
  • Assessed the justification of collecting personal information where applicable and ensured only the minimum viable PII is collected based on business needs
  • Enhanced the SDLC process by embedding the privacy impact assessment to determine the regulatory applicability and implement necessary functions and controls at the early stage
  • Reviewed and enhanced VeChain solutions to adopt the principle of “privacy by design” and provide the users with the right to be forgotten and data erasure and data portability as required by GDPR
  • Implemented additional security measures to ensure the compliance with GDPR and cybersecurity law
  • Implemented detection and response processes to ensure any compromise can be detected and reported
  • Implemented a sustainable compliance program to constantly monitor any new regulation requirement or revision and respond accordingly

VeChain understands that adoption of public blockchain technology — especially at the enterprise level — is absolutely predicated upon a given platform’s ability to not only provide exciting new solutions to existing problems, but to also integrate seamlessly into its users’ existing day to day reality. With its top-tier partnerships, robust governance structure, innovative economic model, and forward-thinking approach to important issues such as the GDPR and data security, the VeChainThor Platform remains the vanguard for mass adoption.