Making Data Security a Priority

The GDPR, Blockchain and Genaro: Part One

Published in

Smart Data Ecosystem by Genaro Network

5 min readJul 6, 2018

As of May this year the European Union has implemented a law to safeguard the data of citizens in their interactions with online companies and public institutions. The General Data Protection Regulation was drafted in 2016 and has now come into force, bringing with it implications that resonate around the web and the world’s media. Why the ‘world’ and not simply European countries? This is because the GDPR applies to any companies that use the data of E.U. citizens and want to continue to do business in the bloc. Like U.S. financial regulators applying American law to international companies that have dealings with their nation, the EU is taking an assertive stance in a complex battleground.

Coming in the aftermath of the Facebook/ Cambridge Analytica scandal many will welcome this show of regulatory force. In the background, the question of how GDPR will affect the rapidly changing blockchain space is puzzling many, including experts.

As the Genaro Network has always been framed as a global project the GDPR is certainly a relevant topic for our community. This is the first of three short articles seeking to explain the essentials of the GDPR and examine how it may or may not influence the future of blockchain and the Genaro Network in particular. We will also look at how Genaro will potentially respond.

The E.U. and the Blockchain: a Bright Future or Impending Farce? Image: BTC

How does the GDPR work? The law focuses on private and personal information, and the protection of citizens’ rights in this area as well as the responsibilities of companies or organizations that collect or process that data. It defines the relevant types of data and gives names to the parties involved: E.U. citizens are termed “Data subjects” and organizations divided into “Data processors” and “Data Controllers”.

For example, a website that asks for your info will be considered a Controller, and the Internet providers and hosts that support your connection to that website and store its database are Processors–a Processor could also be a third party financial company or HR agent. Controllers and Processors are both responsible under the GDPR for protecting personal info.

The two main categories of data are:

Personal Data — This is information that identifies you, starting from your name and continuing to your IP address as well as your physical address and number, etc.

Sensitive Personal Data — This is all the information that you would naturally expect to have a choice over whether to keep it private or not. Information that relates to your medical history, your religion, your relationships would all come under this category.

The GDPR then outlines rights. A Data Subject needs to give their consent for the collecting and sharing of their personal data. Next, if they desire, they can ask for a record of what data relating to them a company has collected, can ask for their data to be deleted (the so-called ‘Right to be Forgotten’) and can ask for their data to be transferred or changed. To be ultra-clear, here is the list of these ‘Basic data rights’ as defined by the European lawmakers:

- Right to give consent for personal data to be shared and/or processed

- Right to access collected personal data

- Right to be forgotten (erased)

- Right to portability (to move data from a system to another)

- Right to rectification (changing one’s data in a system)

Attached to these rights are responsibilities and potential penalties for companies and organizations that do not comply. In this area is where the E.U. legislators “Get creative,” and show a strong hand in response to recent online history. In an age of unpredictable data leaks and breaches, companies holding personal data need to notify affected individuals as well as the Data Protection Agency or DPA, “within 72 hours and… without undue delay.” Groups with significant stores of personal data must appoint ‘Data Protection Officers’. The strongest penalty for non-compliance is a fine. “Organizations can be fined up to 4% of annual global turnover… or €20 Million”, whichever amount is higher.

The E.U. Parliament in Strasbourg–Deep Thinking about Data Rights Within. Image: CCN

Everyone is in agreement that the GDPR will have wide ranging ramifications.

What are the core issues for blockchain? First, it should be stated that the law was designed for centralized systems: cloud networks, hosting servers, private companies, etc. This should not be a surprise. International lawmakers have focused upon taming the wild ICO and cryptocurrency animal, and have not been directly addressing blockchain tech itself, which in any case mutates so fast that any attempt to draft solid laws around it would risk becoming rapidly redundant. The law has famously lagged behind technology throughout history.

Nevertheless, blockchain deals in data and therefore the instrument can be applied to it–in theory. Yet professionals in the blockchain space have argued that the law is already out of date in its core elements and should be altered, or quarantined from crypto, or scrapped.

There are many angles to approach the intersection between the GDPR law and the new decentralized technology, but two stand out in the arguments now being put forward online.

One is the way that actors are defined. In a distributed and encrypted system, can or should any actor be considered a Controller or Processor? Second, many commentators have seized on the ‘Right to be Forgotten’. If a blockchain is powerful precisely because it cannot be altered, how can this right ever be applied? As with many debates that touch on legal matters, the interpretation of names, words and phrases is key. The issue of what precisely a blockchain is, and how the new rights and categories can be applied to one, is at the heart of the matter.

The Genaro Network and the team building its smart data ecosystem will be active participants in the debate. In the next piece, we will look through some of the ways that GDPR might collide with specific elements of blockchain, including how notions of personal data rights can be thought of in the context of systems designed to run smoothly without a central ‘Controller’ at the helm.

Find more about the Genaro Network’s dual-strata architecture blockchain and decentralized storage at: https://genaro.network

Useful Links for GDPR and Blockchain

https://www.eugdpr.org/gdpr-faqs.html

–A simple but thorough unofficial information website.

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

–The E.U.’s own official explanation in English of how the law works.

https://www.whitecase.com/publications/article/gdpr-handbook-unlocking-eu-general-data-protection-regulation

–A legal firm’s treatment of GDPR.

https://theconversation.com/gdpr-ground-zero-for-a-more-trusted-secure-internet-95951

–University Researcher in technology analyzing a range of issues involved.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

–View from general tech journalist.