decentralized-id.github.io/2019-03-01-gdpr.md at cc25665d977c225b85f1299eabf1f36b6a496983

9.2 KiB

Raw Blame History

date

title

toc

EU Blockchain Observatory and Forum Report

Section 19: Decentralised identity and the European regulatory landscape

IDENTITY AND THE GDPR

An identity framework will need to work within such GDPR principles as data minimisation, purpose limitation and storage limitation. It will also have to deal with many of the rights that data subjects have under the GDPR, among them the well-known right to erasure (right to be forgotten), right of access and rights related to the automated processing of data. The GDPR also lays down clear responsibilities for data controllers and processors that will certainly need to be taken into account as well.
EIDAS: A PAN-EUROPEAN NATIONAL IDENTITY STANDARD

Perhaps the most important regulation dealing with identity in the EU is eIDAS, an EU regulation and a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so is worth a closer look.

Privacy by Design

Privacy by Design means that privacy should be considered from the very beginning, when designing a product. Article 25 of the GDPR requires “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing.”

GDPR and Privacy by Design, What developers need to know
Privacy by Design The 7 Foundational Principles
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive-Sum, not Zero-Sum
5. End-to-End Security — Full Lifecycle Protection
6. Visibility and Transparency — Keep it Open
7. Respect for User Privacy — Keep it User-Centric
Self-Sovereign Privacy By Designs

Privacy Impact Assesment

Article 35 describes “a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies” called a Privacy Impact Assessment (PIA),

ISO/IEC 29134:2017 - Guidelines for privacy impact assessment
Open Source PIA Software - cnil.fr

The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English. It facilitates carrying out a data protection impact assessment, which will become mandatory for some processing operations as of 25 May 2018. This tool also intends to ease the use of the PIA guides published by the CNIL.
Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs.
Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)

Checklists

GDPR Checklist for Websites & Mobile Applications
GDPR Checklist
GDPR Expert - information on each article, for different countries in the EU.
- the corresponding provision in the (former) Directive;
- the corresponding provision in the country you have selected;
- an analysis of the "Existing position";
- an analysis of the "Future position";
- an analysis of "Potential issues";
- the first and second proposals of EU Regulation;
- the relevant recital(s).

Frameworks

Top 10 GDPR Frameworks
IAB Europe Transparency and Consent Framework (TCF) - assisting the digital advertising industry to interpret and comply with data protection and privacy regulation - notably the General Data Protection Regulation (GDPR).

Sovrin Foundation

Digital Identity Management in the Context of GDPR & Sovrin

Sovrin Foundation announces 30-day public review for data protection regulation revisions to the Sovrin Governance Framework

The Sovrin Governance Framework Working Group (SGFWG) and Global Policy Working Group (GPWG) together with Sovrin Stewards and Sovrin Foundation counsel began the process of determining what further changes would be needed to enable compliance with data protection regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Province of British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA).

Giving people the privacy protection they need in the coming decade

Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de l’Informatique et des Libertés.

Innovation Meets ComplianceData Privacy Regulation and Distributed Ledger Technology

Resources

History of the GDPR
EU GDPR - TOC - table of contents, cross-references, emphases, corrections and a dossier function.
bakke92/awesome-gdpr - Curated List of GDPR Information
erichard/awesome-gdpr - A curated list of GDPR-compliant tools for websites creators.
Awesome Data Privacy
A curated list of EU GDPR resources - An index of Companies, Consultants, Products, Services & Resources for GDPR compliance and market research]
Guide to GDPR Documentation The U.K. Information Commissioner's Office released this guide to GDPR Documentation. Included is information, checklists and templates to help organizations in their processing and documentation in relation to GDPR compliance efforts.

9.2 KiB Raw Blame History Unescape Escape