To minimise the risk of personal data finding its way onto
the network, MTI will implement technological solutions
to identify personal data submitted to the network and
prevent such data from entering the network. These
solutions could range from restricted data fields that do
not accept data formats containing personal data, to
artificial intelligence solutions that screen all submitted
data for personal data and either flag suspected personal
data for review, thereby preventing submissions containing
personal data from entering the network, or redact
personal data from otherwise compliant data submissions.
The artificial intelligence screening described above has
the added benefit of reduced business impact, as data
entries could still be submitted to the network with no
interruption and only personal data inadvertently included
in a data submission would be impacted.
These techniques could help reduce MTI's GDPR-related
compliance burden by limiting the opportunities for
personal data to enter the network. Instead of having to
ensure GDPR-compliant treatment of vast amounts of
personal data intentionally entered onto the network,
MTI would be left with only personal data inadvertently
entered into the network that had evaded the front-end
screening mechanisms described above. The effort by
MTI to implement privacy by design and make use of data
minimisation techniques demonstrates a genuine attempt
at compliance with data protection and privacy legislation.
While there may be a risk of non-compliance with the
GDPR in this solution, the concerted efforts at compliance
undoubtedly act as mitigants of that risk.
6.5
Who will be data controllers
and who will be data processors?
Given that each participant who is transmitting personal
data across the network (including via any specifically
designed off-chain side channel) will likely be determining
the purposes and means of processing in relation to any
personal data, it would seem logical to conclude that
these participants are data controllers. The same holds
true for participants that store personal data in their own
right, whether or not that personal data was received via
a side channel or extracted from personal data that has
inadvertently entered the blockchain.
To the extent that there are participants in the network
who are simply operating a node which processed
personal data on behalf of other participants, these
participants would likely be data processors. However,
it should be noted that a participant involved in creating
the architecture of the system could be deemed as acting
as a data controller in determining the purposes and
means of processing.
GDPR and the Blockchain I 41