What is the GDPR?
The GDPR is a European Union regulation on
data protection and privacy for individuals
within the European Economic Area (the EEA).
The GDPR was implemented in May 2018 and
marked a significant evolution in data protection
law in Europe. This paper will not summarise
every aspect of the GDPR, but will instead
highlight those aspects of the Regulation we
consider to be most relevant to the question
of GDPR compliance for blockchain solutions.
While the GDPR governs how personal data relating to
individuals inside the EEA may be processed, it also has
a wide-ranging extra-territorial application. The GDPR
applies first and foremost to entities that are processing
personal data in the context of a European establishment,
regardless of whether or not the processing takes place
in the EEA. However, the GDPR also applies to entities
established outside the EEA that are offering goods or
services to (or monitoring the behaviour of) individuals
in the EEA.
As the GDPR became effective within the past twelve
months, there remains much ambiguity and uncertainty
as to how it will be enforced, especially in relation to
innovative technologies such as blockchain. After all,
the GDPR was not designed with distributed ledger
technology in mind. It is however possible to gauge, to
some extent at least, the likely approach of European
regulators to blockchain technologies. This can be
achieved by assessing regulators' public statements and
policies related to blockchain, which are considered later
in this paper.
Given that the GDPR is generally perceived as a
high-watermark of international data protection laws
(and becoming a template for increasing numbers of
countries' own data protection laws), engineering a
blockchain solution that is GDPR compliant will help
efforts aimed at achieving worldwide data protection and
What is personal data?
In relation to the GDPR, personal data is any information
relating to an identified or identifiable natural person.
It includes data such as names, addresses, identification
numbers, location data, and IP addresses.
The GDPR also sets out special categories of personal data,
the processing of which is subject to stricter regulation.
These more sensitive categories of personal data include
personal data revealing racial or ethnic origins, political
opinions, religious beliefs and health data.
GDPR and the Blockchain I 15