decentralized-id.github.io/_posts/government/europe/2019-03-01-gdpr.md

98 lines
12 KiB
Markdown
Raw Normal View History

2019-03-28 19:40:33 -04:00
---
date: 2019-03-01
2023-06-05 23:52:16 -04:00
title: "General Data Protection Regulation (GDPR) of the European Union"
2019-03-28 19:40:33 -04:00
toc: false
categories: ["Government"]
2023-06-08 00:38:47 -04:00
tags: ["GDPR","Europe","eIDAS","CCPA","eSSIF","eSSIF-Lab"]
2020-01-05 23:54:47 -05:00
redirect_from:
2020-11-05 23:47:20 -05:00
- public-sector/europe/GDPR/
2020-01-05 23:54:47 -05:00
- gdpr/
2020-11-05 23:47:20 -05:00
header:
2020-11-19 03:16:51 -05:00
image: /images/general-data-protection-regulation-gdpr-header.webp
teaser: /images/gdpr-teaser.webp
2020-11-05 23:47:20 -05:00
permalink: government/europe/regulation/gdpr/
canonical_url: 'https://decentralized-id.com/government/europe/regulation/gdpr/'
2023-06-10 07:24:04 -04:00
toc: true
last_modified_at: 2023-06-09
2019-03-28 19:40:33 -04:00
---
2023-06-10 07:24:04 -04:00
## Main
2023-06-08 00:38:47 -04:00
> The General Data Protection Regulation (GDPR) is a privacy regulation enacted May 2018, effecting anyone processing the data of EU residents.
* [Why is Self-Sovereign Identity compliant with the [GDPR]?](https://en.archipels.io/post/pourquoi-le-self-sovereign-identity-est-compatible-avec-le-rgpd) 2022-02-16 Archpelis
> With the transition to the web 3.0 ecosystem, the development of distributed registries (blockchain technology) and the regulatory environment that is forcing digital players to favour privacy by design, the ISS approach will become the new standard, whether for entering into customer relations, managing digital identities or ensuring compliance of administrative processes in companies and institutions.
* [Can a Verifiable Credential-based SSI Implementation meet GDPR Compliance?](https://academy.affinidi.com/can-a-verifiable-credential-based-ssi-implementation-meet-gdpr-compliance-5039d0149ea4) 2021-05-14 Affinidi
> A common theme among all these provisions is to empower the data subject and put him or her in complete control over personal data including the way it is shared and used.
>
> Now, its time to see if Self-sovereign identity (SSI) addresses each of these provisions.
* [Giving people the privacy protection they need in the coming decade](https://sovrin.org/gdpr-paper/) 2020-01-08
> Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de lInformatique et des Libertés.
> * [Innovation Meets ComplianceData Privacy Regulation and Distributed Ledger Technology](https://sovrin.org/wp-content/uploads/GDPR-Paper_V1.pdf)
* [Blockchain and Identity](https://www.eublockchainforum.eu/sites/default/files/report_identity_v0.9.4.pdf) 2019-05-15
* IDENTITY AND THE GDPR
> An identity framework will need to work within such GDPR principles as data minimisation, purpose limitation and storage limitation. It will also have to deal with many of the rights that data subjects have under the GDPR, among them the well-known right to erasure (right to be forgotten), right of access and rights related to the automated processing of data. The GDPR also lays down clear responsibilities for data controllers and processors that will certainly need to be taken into account as well.
* EIDAS: A PAN-EUROPEAN NATIONAL IDENTITY STANDARD
> Perhaps the most important regulation dealing with identity in the EU is eIDAS, an EU regulation and a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so is worth a closer look.
* [Blockchain and the GDPR](https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf) 2018-10-16 EU Blockchain Forum
> as this paper will explain, GDPR compliance is not about the technology, it is about how the technology is used. Just like there is no Gdpr-compliant Internet, or GDPR-compliant artificial intelligence algorithm, there is no such thing as a GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications.
* [GDPR - A reflection on the 'self-sovereign identity' and the Blockchain](https://www.linkedin.com/pulse/gdpr-reflection-self-sovereign-identity-blockchain-nicolas-ameye/) 2018-02-11 Nicolas Ameye
2023-06-09 04:41:15 -04:00
> The GDPR is taking for granted a centralized identity model, meaning a centralized model of digital data storage and transmission. Those centralized models of digital data storage are relying on the principles that the data custodians are trustworthy and are mandated to steward personal data. The GDPR, while being technology-neutral by nature, is articulated around the idea that personal data are being stewarded by centralized authorities.
2023-06-08 00:38:47 -04:00
* [When GDPR Becomes Real, and Blockchain is no longer fairydust](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/final-documents/gdpr.md) by Marta Piekarska (Linux Foundation), Michael Lodder (Evernym), Zachary Larson (Economic Space Agency), Kaliya Young (Identity Woman)
> Following the implementation date of May 25, 2018, managing data will be both toxic and expensive. Many precious resources will be required for improving and maintaining the security, privacy, and governance of personal data. Methods for storing less personal data will ease the burden of GDPR compliance. This document describes the GDPR requirements and the different approaches to digital identity solutions and finally explains why distributed ledger technology may offer an opportunity for enterprises to simplify data management solutions that are GDPR compliant.
2020-01-06 02:31:44 -05:00
2020-01-09 11:44:41 -05:00
[![](https://i.imgur.com/HADdi6N.jpg)](https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf)
2020-01-05 23:54:47 -05:00
2023-06-12 05:53:08 -04:00
### EU General Data Protection Regulation Act
* [Self-Sovereign Privacy By Design](https://github.com/sovrin-foundation/protocol/blob/master/self_sovereign_privacy_by_design_v1.md)
* [Giving people the privacy protection they need in the coming decade](https://sovrin.org/gdpr-paper/)
> Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de lInformatique et des Libertés.
> * [Innovation Meets ComplianceData Privacy Regulation and Distributed Ledger Technology](https://sovrin.org/wp-content/uploads/GDPR-Paper_V1.pdf)
2023-06-09 04:41:15 -04:00
2020-01-05 23:54:47 -05:00
### Privacy by Design
Privacy by Design means that privacy should be considered from the very beginning, when designing a product. [Article 25](https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#A25) of the GDPR requires “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in placeto minimise personal data processing.”
2019-03-05 12:44:00 -05:00
2023-06-08 00:38:47 -04:00
* [Privacy by Design The 7 Foundational Principles](https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf) 2011-02-11
2020-01-05 23:54:47 -05:00
> 1. Proactive not Reactive; Preventative not Remedial
> 2. Privacy as the Default Setting
> 3. Privacy Embedded into Design
> 4. Full Functionality — Positive-Sum, not Zero-Sum
> 5. End-to-End Security — Full Lifecycle Protection
> 6. Visibility and Transparency — Keep it Open
> 7. Respect for User Privacy — Keep it User-Centric
2023-06-08 00:38:47 -04:00
* [Self-Sovereign Privacy By Design](https://github.com/sovrin-foundation/protocol/blob/master/self_sovereign_privacy_by_design_v1.md) 2019-10-04
> This repo captures early models of what has now evolved into DID Communication -- conventions for secure, private interaction between parties based on DIDs. **All content here is archival; for the freshest thinking, please check out the [Hyperledger Aries RFCs](https://github.com/hyperledger/aries-rfc)**
* [GDPR and Privacy by Design, What developers need to know](https://medium.com/@sphereidentity/gdpr-and-privacy-by-design-what-developers-need-to-know-fa5a936da65a) 2018-01-24
> In short, Article 25 of the GDPR requires; “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing”. Building compliant systems means that new functionality needs to be added, to deliver data pseudonymisation, encryption and other privacy enhancing measures.
2020-01-05 23:54:47 -05:00
### Privacy Impact Assesment
[Article 35](http://www.privacy-regulation.eu/en/article-35-data-protection-impact-assessment-GDPR.htm) describes “a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies” called a [Privacy Impact Assessment](https://en.wikipedia.org/wiki/Privacy_Impact_Assessment) (PIA),
* [ISO/IEC 29134:2017 - Guidelines for privacy impact assessment](https://www.iso.org/standard/62289.html)
2023-06-08 00:38:47 -04:00
* [Open Source PIA Software](https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment) 2021-06-30 cnil.fr
2020-01-05 23:54:47 -05:00
> The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English. It facilitates carrying out a data protection impact assessment, which will become mandatory for some processing operations as of 25 May 2018. This tool also intends to ease the use of the PIA guides published by the CNIL.
2023-06-08 00:38:47 -04:00
* [Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)](https://www.dataguidance.com/sites/default/files/wp29-gdpr-dpia-guidance_final.pdf) 2017-10-13
> A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance.
## Resources
2020-01-05 23:54:47 -05:00
2023-06-08 00:38:47 -04:00
* [History of the GDPR](https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en)
* [EU GDPR - TOC](http://www.privacy-regulation.eu/en/index.htm) - table of contents, cross-references, emphases, corrections and a dossier function.
* [IAB Europe Transparency and Consent Framework (TCF)](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/) 2018-07-20
> technical specifications for the IAB Europe Transparency and Consent Framework (TCF) that will help the digital advertising industry interpret, and comply with EU rules on data protection and privacy - notably the General Data Protection Regulation (GDPR).
* [bakke92/awesome-gdpr](https://github.com/bakke92/awesome-gdpr) - Curated List of GDPR Information
* [erichard/awesome-gdpr](https://github.com/erichard/awesome-gdpr) - A curated list of GDPR-compliant tools for websites creators.
* [Awesome Data Privacy](https://github.com/yilmaztolga/awesome-data-privacy)
* [GDPR Checklist for Websites & Mobile Applications](https://github.com/InspireNL/GDPR-Checklist-for-Websites-and-Apps) 2018-04-16
2020-01-05 23:54:47 -05:00
* [GDPR Checklist](https://gdprchecklist.io)
* [GDPR Expert](https://www.gdpr-expert.com) - information on each article, for different countries in the EU.
> - the corresponding provision in the (former) Directive;
> - the corresponding provision in the country you have selected;
> - an analysis of the "Existing position";
> - an analysis of the "Future position";
> - an analysis of "Potential issues";
> - the first and second proposals of EU Regulation;
> - the relevant recital(s).