Page 0044

6.6

Measures to help achieve GDPR compliance

In summary, MTI can substantially achieve a GDPR-compliant blockchain solution by following the below steps.

1. Keep personal data off-chain to the maximum

extent possible. To keep personal data off-chain,

MTI should only allow corporations (not natural

persons) to be participants on the blockchain

network. By preventing natural persons from joining the

blockchain network, MTI can prevent network participant

identifiers from being considered personal data.

Additionally, MTI should have all network participants

agree in the network governance document that they

will not upload personal data to the blockchain. Lastly,

MTI may consider using technological solutions such as

restricted data entry fields and artificial intelligence to

prevent personal data submitted to the network from being

uploaded to the blockchain.

2. Use a private, permissioned blockchain.

This will allow MTI (or whatever group or entity is

specified in the network's governance document)

to control who is able to join the blockchain

network (which is needed to prevent natural persons from

joining as network participants) and who is able to upload

data to the blockchain (which is needed to ensure only

those who have agreed to the limitations on uploading

personal data contained in the network governance

document are permitted to actually upload data).

3. Employ privacy by design when creating its

blockchain network. This includes designing

the network to only collect and store data that

are adequate, relevant and limited to what is

necessary for the purpose for which they are processed, and

to comply with data subjects' rights (particularly the rights

to rectification and erasure).

4. Document all of these obligations and more

in a transparent and robust governance

framework. This governance framework should

contain terms and conditions to which all

network participants must agree before being permitted

to join MTI's blockchain solution. Among other things, the

terms and conditions should:

• prohibit network participants from uploading personal

data to the blockchain;

• incorporate the data processing clauses required by

Article 28 and oblige all network participants that are

data processors to abide by those clauses;

• incorporate the European Commission's model

international data transfer clauses; and

• establish the processes by which the network participants

will enable data subjects to exercise

their rights.

By taking the above steps, MTI can create a substantially

GDPR-compliant blockchain solution.

42 I GDPR and the Blockchain

42 I GDPR and the Blockchain

Index

  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052