6.6
Measures to help achieve GDPR compliance
In summary, MTI can substantially achieve a GDPR-compliant blockchain solution by following the below steps.
1. Keep personal data off-chain to the maximum
extent possible. To keep personal data off-chain,
MTI should only allow corporations (not natural
persons) to be participants on the blockchain
network. By preventing natural persons from joining the
blockchain network, MTI can prevent network participant
identifiers from being considered personal data.
Additionally, MTI should have all network participants
agree in the network governance document that they
will not upload personal data to the blockchain. Lastly,
MTI may consider using technological solutions such as
restricted data entry fields and artificial intelligence to
prevent personal data submitted to the network from being
uploaded to the blockchain.
2. Use a private, permissioned blockchain.
This will allow MTI (or whatever group or entity is
specified in the network's governance document)
to control who is able to join the blockchain
network (which is needed to prevent natural persons from
joining as network participants) and who is able to upload
data to the blockchain (which is needed to ensure only
those who have agreed to the limitations on uploading
personal data contained in the network governance
document are permitted to actually upload data).
3. Employ privacy by design when creating its
blockchain network. This includes designing
the network to only collect and store data that
are adequate, relevant and limited to what is
necessary for the purpose for which they are processed, and
to comply with data subjects' rights (particularly the rights
to rectification and erasure).
4. Document all of these obligations and more
in a transparent and robust governance
framework. This governance framework should
contain terms and conditions to which all
network participants must agree before being permitted
to join MTI's blockchain solution. Among other things, the
terms and conditions should:
• prohibit network participants from uploading personal
data to the blockchain;
• incorporate the data processing clauses required by
Article 28 and oblige all network participants that are
data processors to abide by those clauses;
• incorporate the European Commission's model
international data transfer clauses; and
• establish the processes by which the network participants
will enable data subjects to exercise
their rights.
By taking the above steps, MTI can create a substantially
GDPR-compliant blockchain solution.
42 I GDPR and the Blockchain
42 I GDPR and the Blockchain