There is an opinion that blockchain technology and GDPR are fundamentally incompatible because of decentralized data handling. General Data Protection Regulation (GDPR) was created to protect and empower all European Union citizens’ data privacy. A blockchain is a shared and synchronized digital database that is maintained by a consensus algorithm and stored on multiple nodes. As we see, GDPR has implicit assumptions around centralization and a single legal entity whereas blockchain, being a grouping of multiple technologies, explicitly uses decentralization at its core and achieves its resilience through replication. So, how can blockchain and data privacy regulations collaborate to provide business value despite their known tensions?
What potential personal data can Crypto companies collect?
When signing up, data subjects may be asked a wide range of their information, e.g., email address, bank information for depositing, residential address, and many more, due to following anti-money laundering regulation. Any information about an individual that these companies may collect and that is not pseudonymized, is subject to GDPR and other relevant data protection laws.
Are GDPR requirements relevant only for companies based in EU?
Data controllers that process the personal data of EU subjects must comply with personal data protection requirements. The territorial-scope provisions in GDPR make it clear that any sort of processing of personal data of EU citizens falls under the GDPR, including companies registered and operating in other countries.
Main data protection requirements for Crypto companies
As it was mentioned above the crypto companies are processing a lot of personal data, therefore, these companies at least shall have:
- Privacy policy. A document that foresees the scope and purposes of personal data processed by a company and provides information on data subject rights and other relevant information. It is important to note that privacy policy must not only be published but also followed in the data controller’s processing activities, as well as updated regularly;
- Cookie policy. A document that foresees the used cookies and other similar technologies of the data controller, ways to manage them, and other relevant information relating to the information collected from data subjects.
- Internal data processing rules. This document foresees the internal rules that data controllers use when processing personal data.
- Data protection impact assessments. In accordance with GDPR, data protection impact assessments (DPIA) are mandatory where data processing is likely to result in a high risk to fundamental rights. DPIA’s are evaluations of the impact of the planned processing operations on data subjects that ought to be carried out by data controllers where the nature, scope, context, and purposes of processing are of high risk to the rights and freedoms of natural parties, especially in cases where new technologies are used. In this regard, blockchain technology companies, in most cases, may be required to carry out DPIA’s with their used processors or IT solutions;
- Security breach management procedure. Due to the sensitive time limit for breach management and notification, data controllers and processors must have a security breach procedure.
- Employees’ and candidates’ personal data processing policy. An internal document dedicated to employee and candidate personal data processing is mandatory for data controllers in this regard.
Data protection officers – a right or an obligation?
The data protection officer is definitely another main requirement of the GDPR. Due to this, it is especially important to review if the organization or company must appoint a data protection officer (DPO). The appointment of the DPO will be mandatory when:
- the processing is performed by a public authority or body, except the courts that act in the exercise of their judicial function,
- the main activities of the controller or processor consist of processing operations that due to their nature, scope, and/or purposes, require a regular and systematic observation of parties concerned on a large scale,
- the main activities of the controller or processor consist of the large-scale processing of special categories of personal data and the data relating to criminal convictions and offenses.
Crypto companies are among the organizations required to appoint a DPO due to such companies’ activities of personal data processing.
The role of DPO
Appointing an internal or external data protection officer is not enough: an appointment of DPO is just the beginning of compliance journey. There are many requirements involving a DPO, such as:
- ensuring that DPO is appointed based on his/her professional qualities. DPO must be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art. 39 of GDPR;
- ensuring that DPO has the task to monitor compliance with the GDPR and with the policies of the data controller;
- ensuring that DPO is involved in all matters related to the protection of personal data. The DPO should participate in the executive committee, project coordination committees, new product committees, security committees, or any other committee deemed useful in the context of data protection. Internal procedures must document such involvement;
- ensuring that contact details of DPO have been provided to the supervisory authority and made available for the data subjects.
Trust, not blockchain, is the new currency
Being compliant with GDPR is not only a legal obligation that companies face. It is one of the main aspects of building trust with potential users. In an article published by the Lithuanian data protection authority (VDAI) regarding safe internet use, one of the signs of an unsecured website or an app included a lack of privacy policy. Regular consumers are used to features such as choosing which cookies can be used by the data controller, exercising their right to be forgotten, etc. Therefore, implementing public GDPR procedures and policies such as a privacy policy or a cookie policy has become an indicator that service providers are safe to use and trustworthy.
What to take out from this?
Requirements for GDPR go far beyond the processes mentioned above. Rather than a destination, it is a continuous journey. Although there is little overlap or conflict between blockchain technology and GDPR, requirements for data protection still apply and must be ensured in all personal data processing activities. Once implemented, procedures and policies of personal data processing must not only be regularly updated but also followed in all data processing activities. While compliance with GDPR is a demanding process, it is beneficial not only to the consumers but also to the companies providing their services for them. Compliance with GDPR proves that trust is indeed the new currency.
If you need assistance in matters regarding GDPR compliance or any other issues related personal data protection, authorization of crypto company or any other issues regarding cryptocurrencies, please consult the experts of ECOVIS ProventusLaw.