decentralized-id.github.io/_posts/government/europe/regulation/2019-03-01-gdpr.md

106 lines
9.2 KiB
Markdown
Raw Normal View History

2019-03-28 19:40:33 -04:00
---
date: 2019-03-01
2020-01-06 09:46:09 -05:00
title: "The General Data Protection Regulation (GDPR) of the European Union"
2019-03-28 19:40:33 -04:00
toc: false
categories: ["Government"]
tags: ["GDPR","Europe","eIDAS"]
2020-01-05 23:54:47 -05:00
redirect_from:
2020-11-05 23:47:20 -05:00
- public-sector/europe/GDPR/
2020-01-05 23:54:47 -05:00
- gdpr/
2020-11-05 23:47:20 -05:00
header:
2020-11-19 03:16:51 -05:00
image: /images/general-data-protection-regulation-gdpr-header.webp
teaser: /images/gdpr-teaser.webp
2020-11-05 23:47:20 -05:00
permalink: government/europe/regulation/gdpr/
canonical_url: 'https://decentralized-id.com/government/europe/regulation/gdpr/'
last_modified_at: 2020-01-05
2019-03-28 19:40:33 -04:00
---
2020-01-05 23:54:47 -05:00
The General Data Protection Regulation (GDPR) is a privacy regulation enacted May 2018, effecting anyone processing the data of EU residents.
2019-03-28 19:40:33 -04:00
2020-10-10 05:14:54 -04:00
* [GDPR - A reflection on the 'self-sovereign identity' and the Blockchain](https://www.linkedin.com/pulse/gdpr-reflection-self-sovereign-identity-blockchain-nicolas-ameye/)
2020-01-09 11:44:41 -05:00
* [Blockchains and Data Protection in the European Union](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3080322)
* [IBM — How blockchain could address five areas associated with GDPR compliance](https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=61014461USEN)
* [When GDPR Becomes Real, and Blockchain is no longer fairydust](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/final-documents/gdpr.md)
2019-03-05 12:44:00 -05:00
2020-01-09 11:44:41 -05:00
### EU Blockchain Observatory and Forum Report
* [Blockchain and the GDPR](https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf)
* [Blockchain and Identity](https://www.eublockchainforum.eu/sites/default/files/report_identity_v0.9.4.pdf)
2019-03-13 23:01:23 -04:00
2020-01-05 23:54:47 -05:00
**Section 19: Decentralised identity and the European regulatory landscape**
2020-01-09 11:44:41 -05:00
* IDENTITY AND THE GDPR
> An identity framework will need to work within such GDPR principles as data minimisation, purpose limitation and storage limitation. It will also have to deal with many of the rights that data subjects have under the GDPR, among them the well-known right to erasure (right to be forgotten), right of access and rights related to the automated processing of data. The GDPR also lays down clear responsibilities for data controllers and processors that will certainly need to be taken into account as well.
* EIDAS: A PAN-EUROPEAN NATIONAL IDENTITY STANDARD
> Perhaps the most important regulation dealing with identity in the EU is eIDAS, an EU regulation and a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so is worth a closer look.
2020-01-06 02:31:44 -05:00
2020-01-09 11:44:41 -05:00
[![](https://i.imgur.com/HADdi6N.jpg)](https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf)
2020-01-05 23:54:47 -05:00
### Privacy by Design
Privacy by Design means that privacy should be considered from the very beginning, when designing a product. [Article 25](https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#A25) of the GDPR requires “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in placeto minimise personal data processing.”
2019-03-05 12:44:00 -05:00
* [GDPR and Privacy by Design, What developers need to know](https://medium.com/@sphereidentity/gdpr-and-privacy-by-design-what-developers-need-to-know-fa5a936da65a)
* [Privacy by Design The 7 Foundational Principles](https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf)
2020-01-05 23:54:47 -05:00
> 1. Proactive not Reactive; Preventative not Remedial
> 2. Privacy as the Default Setting
> 3. Privacy Embedded into Design
> 4. Full Functionality — Positive-Sum, not Zero-Sum
> 5. End-to-End Security — Full Lifecycle Protection
> 6. Visibility and Transparency — Keep it Open
> 7. Respect for User Privacy — Keep it User-Centric
2019-03-14 19:36:41 -04:00
* [Self-Sovereign Privacy By Design](https://github.com/sovrin-foundation/protocol/blob/master/self_sovereign_privacy_by_design_v1.md)s
2020-01-05 23:54:47 -05:00
### Privacy Impact Assesment
[Article 35](http://www.privacy-regulation.eu/en/article-35-data-protection-impact-assessment-GDPR.htm) describes “a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies” called a [Privacy Impact Assessment](https://en.wikipedia.org/wiki/Privacy_Impact_Assessment) (PIA),
* [ISO/IEC 29134:2017 - Guidelines for privacy impact assessment](https://www.iso.org/standard/62289.html)
* [Open Source PIA Software](https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment) - cnil.fr
> The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English. It facilitates carrying out a data protection impact assessment, which will become mandatory for some processing operations as of 25 May 2018. This tool also intends to ease the use of the PIA guides published by the CNIL.
* [Sample DPIA Template](https://iapp.org/resources/article/sample-dpia-template/)
> This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs.
* [Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)](https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236)
### Checklists
* [GDPR Checklist for Websites & Mobile Applications](https://github.com/InspireNL/GDPR-Checklist-for-Websites-and-Apps)
* [GDPR Checklist](https://gdprchecklist.io)
* [GDPR Expert](https://www.gdpr-expert.com) - information on each article, for different countries in the EU.
> - the corresponding provision in the (former) Directive;
> - the corresponding provision in the country you have selected;
> - an analysis of the "Existing position";
> - an analysis of the "Future position";
> - an analysis of "Potential issues";
> - the first and second proposals of EU Regulation;
> - the relevant recital(s).
### Frameworks
* [Top 10 GDPR Frameworks](https://alpin.io/blog/top-10-gdpr-frameworks/)
* [IAB Europe Transparency and Consent Framework (TCF)](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/Consent%20string%20and%20vendor%20list%20formats%20v1.1%20Final.md) - assisting the digital advertising industry to interpret and comply with data protection and privacy regulation - notably the General Data Protection Regulation (GDPR).
2020-01-09 11:44:41 -05:00
### Sovrin Foundation
[Digital Identity Management in the Context of GDPR & Sovrin](https://blog.tykn.tech/digital-identity-management-in-the-context-of-gdpr-sovrin-43028247378b)
[Sovrin Foundation announces 30-day public review for data protection regulation revisions to the Sovrin Governance Framework](https://sovrin.org/sovrin-foundation-announces-30-day-public-review-for-data-protection-regulation-revisions-to-the-sovrin-governance-framework/)
> The Sovrin Governance Framework Working Group (SGFWG) and Global Policy Working Group (GPWG) together with Sovrin Stewards and Sovrin Foundation counsel began the process of determining what further changes would be needed to enable compliance with data protection regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Province of British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA).
[Giving people the privacy protection they need in the coming decade](https://sovrin.org/gdpr-paper/)
> Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de lInformatique et des Libertés.
> * [Innovation Meets ComplianceData Privacy Regulation and Distributed Ledger Technology](https://sovrin.org/wp-content/uploads/GDPR-Paper_V1.pdf)
## Resources
* [History of the GDPR](https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en)
* [EU GDPR - TOC](http://www.privacy-regulation.eu/en/index.htm) - table of contents, cross-references, emphases, corrections and a dossier function.
* [bakke92/awesome-gdpr](https://github.com/bakke92/awesome-gdpr) - Curated List of GDPR Information
* [erichard/awesome-gdpr](https://github.com/erichard/awesome-gdpr) - A curated list of GDPR-compliant tools for websites creators.
* [Awesome Data Privacy](https://github.com/yilmaztolga/awesome-data-privacy)
* [A curated list of EU GDPR resources](https://gdprindex.com) - An index of Companies, Consultants, Products, Services & Resources for GDPR compliance and market research]
* [Guide to GDPR Documentation](https://iapp.org/resources/article/guide-to-gdpr-documentation/)
The U.K. Information Commissioner's Office released this guide to GDPR Documentation. Included is information, checklists and templates to help organizations in their processing and documentation in relation to GDPR compliance efforts.