4.4
Controllers and processors
Entities processing personal data under the GDPR fall
into one of two categories: data controllers or data
processors. A data controller is an entity that, alone or
with another data controller, has primary responsibility
over the processing of personal data, and who determines
the manner in which, and the purposes for which, the
personal data is processed. A data processor, on the
other hand, processes personal data on behalf of a data
controller, under mandatory contractual provisions set out
in the GDPR.
The legal terminology used in the GDPR, including
the notion of data controllers and data processors,
was designed with a clear division of responsibilities
in mind. However, in a blockchain ecosystem, where
decentralisation is key, the variety of stakeholders makes
the controller/processor differentiation particularly
complex. This is considered further in the following
section of this paper.
4.5
Privacy by design
In addition to the above principles, the GDPR includes
an overarching obligation on data controllers to move
towards data protection by design and by default
(so-called privacy by design).8 To achieve privacy by
design, data controllers under the GDPR must implement
appropriate technical and organisational measures which
ensure that, by default, data protection is integrated
into all personal data processing activities and business
practices, from the initial design stage onwards.
The GDPR's aim through privacy by design is to change
organisational attitudes to the protection of personal data,
by making it a pervasive issue that is considered
by organisations as a matter of course during their
business as usual practices. In that light, it should also
be noted that:
… when creating solutions based around
new technologies (such as blockchain) that pose
a potential high risk to individuals' rights
or freedoms, there is a specific obligation
to conduct a risk assessment known as a
Data Protection Impact Assessment (DPIA).
GDPR and the Blockchain I 17