Enabling GDPR compliant trading of personal data on the blockchain
Scope of the General Data Protection Regulation (GDPR)
The General Data Protection Regulation¹ aims primarily to give control back to consumers over their personal data and to simplify the regulatory environment for international business. The GDPR is valid for transactions within EU member states but it also regulates how to export personal data outside the EU. The GDPR is consistent across all EU member states; this means that companies only have to implement the standard once.
The GDPR is binding for any company that stores or processes personal data or information about EU citizens within the EU states even if they don’t have a business presence in the EU. The following types of companies have to comply:
- Companies with a presence in an EU country
- Has no presence in an EU country, but is processing personal data of European residents
- Company has more than 250 employees
- Company has less than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data
In consequence this means nearly every company has to comply. A PwC report² shows that more than 90% of all companies in the US consider GDPR a top data protection priority!
What is personal data and what types are protected by GDPR?
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The consequence is that online identifiers such as an IP address, cookies and so on become “personal data” if they can be (or are capable of being) without undue effort linked back to the data subject.
The following list provides an overview of the types of data that are protected by GDPR:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
PDATA concept for trading personal data on the blockchain
PDATA’s basic strategy is to be decentralized, meaning that the platform is not designed to hold data as an intermediary between the consumers providing data and the companies that request data, but just to mediate transactions between the two parties.
To achieve this, PDATA’s concept is to store cleartext information of just proof of the existence of data, as well as some information about the data. That enables companies to filter for consumer profiles and datasets they are interested in.
The question of where the data is stored arises. The original unencrypted data never leaves the storage of its owner, that is usually the device on which the data was sourced (e.g. the user´s smartphone). Whenever data has to leave this device, it is encrypted.
Encryption is based on asymmetric cryptography, so there is a public and a private key involved. For each dataset present in the system, the owner generates a special public/private key pair and encrypts the data with the public key, while not giving away the corresponding private key. Data encrypted this way is stored on a P2P network of servers for easy accessibility. The reason is that data has to be accessible even if the device of a consumer is offline and to ensure that the storage used for personal data on consumer devices is kept at a minimum. The important fact here is that this data is completely useless for anyone not holding the private key, so effectively the data is completely protected, and only its owner can use it, even though it resides on a server/network of servers.
Figure 1 visualizes the process of trading personal data on the PDATA platform. Consumers continuously submit their encrypted data to the platform where it is stored as mentioned above. They send the data through the Opiria app or by connecting different services to the platform (like wearables, smart home devices, browser plugins).
Now let’s take an example: Having determined a need for some specific data from consumers, a company will send a data request on the PDATA platform (step 1) for this data for a certain consumer profile (like requesting data XYZ and offering N PDATA tokens in return as compensation). The platform will match this request with the consumers who are able to provide the data (step 2) and will send an offer to the target consumers (step 3). An offer could look like this: company A would like to access data XYZ from you and offers N PDATA tokens for it. Do you want to accept this offer?
In case the consumer accepts (step 4), the PDATA platform informs the smart contract in the blockchain of a pending transaction and prepares for the exchange of the specified data from the consumer to the company for the defined amount of PDATA tokens (step 5).
Next, the smart contract executes the transaction (step 6). This means that the smart contract locks into escrow the PDATA tokens the consumer will receive (6.1). The consumer’s private dataset key is being sent through the blockchain from the consumer (6.2) to the company (6.3). The private dataset key is encrypted with the company’s public key, so it can only be used by the company. Then the PDATA tokens are transferred to the consumer’s account (6.4) and the company receives the still encrypted dataset it has bought (6.4).
Finally (step 7) the company having now the dataset and the private dataset key is able to decrypt the data and use it.
How PDATA fulfills the requirements of GDPR
In the following will be described how the PDATA platform fulfills the GDPR requirements regarding privacy and protection of personal data.
1. Consent as lawful basis for processing
Requirement: according to art. 6, personal data can only be processed on a lawful basis, based on the consumer’s consent.
By entering the PDATA platform, consumers give their consent for storing their personal data in an encrypted format. The platform informs the consumers about each request that was made by companies on their personal data. They can give their consent and allow the company to access their data, or not. In case of giving consent, the smart contract mediates the transaction in a secured and decentralized way.
The given consent can be demonstrated through the PDATA smart contract — which codifies into a transaction every action of its users — and is fully traceable through the blockchain. Cases in which consumers withdraw their consent or decide to erase their data will be managed by the smart contract, which would terminate access to the specific data.
2. Security of processing and pseudonymisation
Processing of personal data has to ensure a high level of security (art. 32) including: pseudonymisation and encryption, confidentiality, integrity, availability and resilience of processing systems and services.
The GDPR refers to pseudonymization as a process that transforms personal data in a way that resulting data cannot be attributed to a specific subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that the decryption key be kept separately from the pseudonymised data.
This is fulfilled par excellence by the PDATA architecture and the smart contract. Personal data is being stored encrypted and only the consumer who is the owner of the data has the key for its decryption. The data and the key are stored in different places, the data on the PDATA platform and the key on the device of the data subject where the data was produced. When it comes to an exchange, the smart contract mediates the transaction in a secure way, ensuring that only the company to which the consumer gave consent is able to decrypt the data.
Personal data will never leave its source (the consumer) in a non-encrypted format. Hence, it is not usable by any third party, except with the consent of the user and governed by the PDATA smart contract.
Overall, the integrity, availability and resilience of the system is ensured by encrypted storage on a network of distributed servers based on peer-to-peer technology, blockchain based transactions, as well as the architecture of the PDATA platform.
3. Right of access, transparency and processing purpose
The right of access (art. 15) gives consumers the right to get access to their personal data. Additionally, they have the right to know how and by whom their personal data is being processed (art. 13, 14).
Consumers can access their data at any time. The PDATA platform offers an interface where consumers can check and update their personal data.
The PDATA platform requests from companies that want to buy data the purpose for which the data will be used as well as the envisaged period of usage. The PDATA platform informs the consumers about purpose and usage when sending them offers. Further on, consumers will know exactly what data they share (because they have to give consent to each data category) and with whom they share it. The smart contract ensures that only the data to which consumers gave consent to will be made available to the companies.
4. Right to rectification, to erasure and data portability
The right to rectification (art. 16) gives consumers the possibility to update and complete their personal data. The right to be forgotten (art. 17) means that the consumers have the right to request erasure their personal data.
The PDATA platform supports the right to rectification by allowing the consumer to view, change and update his personal data at any time.
The consumer can erase his personal data by simply deleting it under his account on the PDATA platform. His private data keys will be destroyed. This implies complete loss of all corresponding data. Additionally, the encrypted data will be deleted from the platform.
Consumer’s right to portability (art. 20), meaning the right to receive the own personal data in a structured, commonly used format is fulfilled by the PDATA platform’s possibility to locally show to the consumer all his personal data that is stored on the platform.
5. Records of processing activities
The guideline requests in art. 30 that all transactions on personal data shall be documented, including the purposes of the processing and the processed categories of personal data.
This is given by the blockchain, in which the PDATA smart contract creates a record of all transactions including the requested information. Additionally, the code of the PDATA smart contract is open and all data processing steps on the platform are well documented.
6. Data protection by design and by default
The principles stated in art. 25 request that data protection is “designed” into the development of business processes for products and services. It also requires that privacy settings must be set at a high level by “default”.
PDATA’s trading of personal data is based on the blockchain. Blockchains were built to function in a “trustless” environment in which people can transact directly with one another without needing to trust any middleman in the ecosystem.
Based on this basic principle the PDATA platform´s architecture ensures the following:
- The consumer owns the personal data and has full control over it.
- Personal data never leaves the consumer in an unencrypted format and only the consumer holds the key to decrypt it.
- Personal data can only be transferred to a company with the consumer’s consent. In addition to that the consumer knows exactly who gets the data and for what purpose.
- The trading of personal data is fully transparent and traceable on the blockchain whereby the anonymity of the trading parties is completely protected.
As described in this article, the PDATA platform is the enabler for a secure, lawfull, fair and transparent trading of personal data based on the blockchain which is fully compliant with the principles of the GDPR.