Page 0043

To minimise the risk of personal data finding its way onto

the network, MTI will implement technological solutions

to identify personal data submitted to the network and

prevent such data from entering the network. These

solutions could range from restricted data fields that do

not accept data formats containing personal data, to

artificial intelligence solutions that screen all submitted

data for personal data and either flag suspected personal

data for review, thereby preventing submissions containing

personal data from entering the network, or redact

personal data from otherwise compliant data submissions.

The artificial intelligence screening described above has

the added benefit of reduced business impact, as data

entries could still be submitted to the network with no

interruption and only personal data inadvertently included

in a data submission would be impacted.

These techniques could help reduce MTI's GDPR-related

compliance burden by limiting the opportunities for

personal data to enter the network. Instead of having to

ensure GDPR-compliant treatment of vast amounts of

personal data intentionally entered onto the network,

MTI would be left with only personal data inadvertently

entered into the network that had evaded the front-end

screening mechanisms described above. The effort by

MTI to implement privacy by design and make use of data

minimisation techniques demonstrates a genuine attempt

at compliance with data protection and privacy legislation.

While there may be a risk of non-compliance with the

GDPR in this solution, the concerted efforts at compliance

undoubtedly act as mitigants of that risk.


Who will be data controllers

and who will be data processors?

Given that each participant who is transmitting personal

data across the network (including via any specifically

designed off-chain side channel) will likely be determining

the purposes and means of processing in relation to any

personal data, it would seem logical to conclude that

these participants are data controllers. The same holds

true for participants that store personal data in their own

right, whether or not that personal data was received via

a side channel or extracted from personal data that has

inadvertently entered the blockchain.

To the extent that there are participants in the network

who are simply operating a node which processed

personal data on behalf of other participants, these

participants would likely be data processors. However,

it should be noted that a participant involved in creating

the architecture of the system could be deemed as acting

as a data controller in determining the purposes and

means of processing.

GDPR and the Blockchain I 41


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052