The rise of blockchain technology, and its accompanying data-centric enterprises, are starting to impact how technology around the world is regulated. From China cracking down on ICOs, to new data privacy laws in California, to countries attracting entire crypto-economies to their shores, the global data privacy landscape is complex and constantly in flux. Such conditions can tempt startup leaders in the blockchain space to wait before responding to new regulations, particularly Europe’s GDPR, until a clearer course of action reveals itself – but this is not the right approach. Even now, there are several common-sense questions that anyone working in blockchain should ask themselves about GDPR compliance. Here are a few.
Do I have a website? Do I use analytics for that website?
It seems obvious, but before considering the risks of any platform, any peer-to-peer network, or even any business model, consider your website. On your typical website, information is being collected about who is visiting. This could be as mundane as basic analytics, or a even standard email list. Depending on how this information is gathered (and how consent to share data is established), it’s possible to be in possession of what the GDPR classifies as personal data. This is a problem that can easily be solved if attention is paid to web analytics early on.
Do apps impact the privacy of my blockchain network?
It could be your own app, or it could be someone else’s. Many bitcoin exchanges, for example, are very vulnerable to hacking, raising the chances of losing the personal data of their users. Conversely, more traditional financial institutions have an interest in monitoring certain blockchain activity, especially cryptocurrencies. This creates a financial incentive to keep an eye on the size of crypto markets, as well as their weaknesses. Having the ability to identify data controllers in the event of a breach is an important step towards improving application security, particularly for blockchain companies.
Do I have a contingency plan in place if a regulator approaches me?
Let’s assume that you found a startup using blockchain technology, and are making meaningful efforts to comply with GDPR regulations. Is there someone in your organization who can prove this? For reasons unanticipated, regulators may need to inquire about your data storage practices. If that occurs, having someone assigned to providing key information is critical. If you cannot do this (and show it on a technical level), difficulties can quickly arise. To that end, it is important to ensure that companies have defined internal guidelines and contingency plans concerning data security in general. These guidelines can then be pragmatically applied to how blockchain technology is being used. It may be important to distinguish between broader company practices and a particular blockchain project. All of these needs require the effort of more than one person or department, but can be much better coordinated with the help of a Data Protection Officer.
Am I or any of my B2B Partners working with end users?
Even if your startup isn’t working with end users, one of your partners might be. B2B transactions can end up involving some degree of personal data depending on the partnership. It’s good to be aware of this as it concerns your own partnerships. A common assumption is that unless a blockchain company is not purely made for ordinary consumers, it does not have to worry about personal data or data security as it relates to EU citizens. This is a myth. Though there is less likelihood of having trouble, the trouble that a B2B product could have is also less clear, varying from case to case. There are often straightforward specifications surrounding different cases, especially as it concerns B2B marketing. But if a company is to comply, it must know what these specifications are.
What tools am I relying on to conduct my business?
This could apply to digital tools or standard hardware. Blockchain platforms, whether on servers or smartphones, require the interaction of many different devices. Having at least some idea of device security is the key to maintain the integrity of your blockchain network, especially when it comes to IoT products, which pose a data security risk if they are not properly patched. Though blockchain can also potentially improve IoT security, articulating a concise strategy that also shows compliance takes some time.
Do I really need a DPO? If so, how often?
As already mentioned, DPOs at companies provide regulators with the information they need when questioned, but that isn’t their only function. They also do a great deal of important work for companies undertaking any significant data processing. In Germany, for example, companies of a certain size are now required to have DPOs. If a full-time DPO hire isn’t necessary, companies can also outsource DPO work to trusted third parties. What’s most convenient for blockchain startups is typically to use the services of a blockchain DPO. This way, the DPO is already familiar with the technology in use, as well as understanding GDPR requirements.
Nearly all blockchain startups are affected by at least one of the above scenarios. In each case, being prepared is far easier and far less costly than being hesitant.
To stay up to date on how the GDPR affects technology, follow TechGDPR on Twitter.