TechGDPR

Blocks Ascending: The GDPR Checklist for Any Blockchain Project

Monday September 17th, 2018 by Jesse van Mouwerik

Illustration of blockchain blocks flying over ocean above a sailboat,

 

The rise of blockchain technology, and its accompanying data-centric enterprises, are starting to impact how technology around the world is regulated. From China cracking down on ICOs, to new data privacy laws in California, to countries attracting entire crypto-economies to their shores, the global data privacy landscape is complex and constantly in flux. Such conditions can tempt startup leaders in the blockchain space to wait before responding to new regulations, particularly Europe’s GDPR, until a clearer course of action reveals itself – but this is not the right approach.  Even now, there are several common-sense questions that anyone working in blockchain should ask themselves about GDPR compliance.  Here are a few.

Do I have a website? Do I use analytics for that website?

It seems obvious, but before considering the risks of any platform, any peer-to-peer network, or even any business model, consider your website. On your typical website, information is being collected about who is visiting. This could be as mundane as basic analytics, or a even standard email list. Depending on how this information is gathered (and how consent to share data is established), it’s possible to be in possession of what the GDPR classifies as personal data. This is a problem that can easily be solved if attention is paid to web analytics early on.

Do apps impact the privacy of my blockchain network?

It could be your own app, or it could be someone else’s. Many bitcoin exchanges, for example, are very vulnerable to hacking, raising the chances of losing the personal data of their users. Conversely, more traditional financial institutions have an interest in monitoring certain blockchain activity, especially cryptocurrencies. This creates a financial incentive to keep an eye on the size of crypto markets, as well as their weaknesses. Having the ability to identify data controllers in the event of a breach is an important step towards improving application security, particularly for blockchain companies.

Do I have a contingency plan in place if a regulator approaches me?

Let’s assume that you found a startup using blockchain technology, and are making meaningful efforts to comply with GDPR regulations. Is there someone in your organization who can prove this? For reasons unanticipated, regulators may need to inquire about your data storage practices. If that occurs, having someone assigned to providing key information is critical. If you cannot do this (and show it on a technical level), difficulties can quickly arise. To that end, it is important to ensure that companies have defined internal guidelines and contingency plans concerning data security in general. These guidelines can then be pragmatically applied to how blockchain technology is being used. It may be important to distinguish between broader company practices and a particular blockchain project. All of these needs require the effort of more than one person or department, but can be much better coordinated with the help of a Data Protection Officer. 

 

Illustration of large wave representing GDPR about to overtake a small ship representing a blockchain entrepreneur, created by Jesse van Mouwerik for TechGDPR

 

Am I or any of my B2B Partners working with end users?

Even if your startup isn’t working with end users, one of your partners might be. B2B transactions can end up involving some degree of personal data depending on the partnership.  It’s good to be aware of this as it concerns your own partnerships. A common assumption is that unless a blockchain company is not purely made for ordinary consumers, it does not have to worry about personal data or data security as it relates to EU citizens. This is a myth. Though there is less likelihood of having trouble, the trouble that a B2B product could have is also less clear, varying from case to case.  There are often straightforward specifications surrounding different cases, especially as it concerns B2B marketing.  But if a company is to comply, it must know what these specifications are.

What tools am I relying on to conduct my business?

This could apply to digital tools or standard hardware. Blockchain platforms, whether on servers or smartphones, require the interaction of many different devices.  Having at least some idea of device security is the key to maintain the integrity of your blockchain network, especially when it comes to IoT products, which pose a data security risk if they are not properly patched. Though blockchain can also potentially improve IoT security, articulating a concise strategy that also shows compliance takes some time.

Do I really need a DPO? If so, how often?

As already mentioned, DPOs at companies provide regulators with the information they need when questioned, but that isn’t their only function. They also do a great deal of important work for companies undertaking any significant data processing. In Germany, for example, companies of a certain size are now required to have DPOs. If a full-time DPO hire isn’t necessary, companies can also outsource DPO work to trusted third parties. What’s most convenient for blockchain startups is typically to use the services of a blockchain DPO. This way, the DPO is already familiar with the technology in use, as well as understanding GDPR requirements.

Nearly all blockchain startups are affected by at least one of the above scenarios. In each case, being prepared is far easier and far less costly than being hesitant.

 

To stay up to date on how the GDPR affects technology, follow TechGDPR on Twitter.

American Intern Meets the GDPR
December 12th, 2018

GDPR, Blockchain, and the Principles of Privacy by Design
December 3rd, 2018

The Limits of Blockchain Privacy and the GDPR
October 22nd, 2018

What the GDPR's 'Privacy By Design' Really Means for Your Business
August 31st, 2018

California Residents Gain Strongest Data Privacy Rights in US
August 22nd, 2018

Disruptive Startups Must Also Disrupt Common GDPR Assumptions
August 16th, 2018

Your IoT Product is Not as GDPR Compliant as You Think
July 27th, 2018

How Countries are Creating Blockchain Economies
July 18th, 2018

Can Blockchain Rescue our Identity from the Digital Abyss?
July 16th, 2018

GDPR Compliance: It's a Process, Not a Product
July 10th, 2018

Artificial Intelligence (2)
Beyond EU (2)
Big Data (1)
Blockchain (6)
Data Subjects (3)
DPO (2)
IoT (3)
Privacy by Design (2)
Startups (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.