This will be a little different from Proxeus’ usual Medium articles. My name is Dave, and I’m a communicator — specifically the Head of Communications and PR here at Proxeus. I’m writing this from less of a technical point of view than one of an end-user — because while our devs need to explain the details of how Proxeus works in the technical equivalent of baby talk, I have years of experience working with communications on three continents.

And yes, like many of my peers, I’ve got some very strong feelings about the GDPR.

“Women viewing modern art with black and white surveillance cameras on wall in Toronto” by Matthew Henry on Unsplash

GDPR for beginners

Truthfully, many of us comms types believe that “GDPR” stands for “G** D***** Privacy Regulation.” It’s awkward, inconvenient, and will take years of judicial back-and-forth before it becomes clear how it really will be implemented. It is also, in my opinion, a classic example of what happens when activists and legislators draft a regulation without talking to the people who need to make it work. (cough, support SROs, cough, cough).

It is also a wobbling baby step in the right direction of reclaiming personal data sovereignty.

Officially known as The EU General Data Protection Regulation, the GDPR sets a new standard for data protection, and raises the bar for businesses wishing to communicate online to previously unheard of heights. Its key points can be found on the official EU site.

The main impacts of the GDPR, and what it means to users and businesses are:

Increased Territorial Scope (extra-territorial applicability). Simply put, where your organization is doesn’t matter — only where the user is. Users in Europe are protected, and if companies don’t like it, they are free to leave the EU market.

(extra-territorial applicability). Simply put, where your organization is doesn’t matter — only where the user is. Users in Europe are protected, and if companies don’t like it, they are free to leave the EU market. Stiffer penalties. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Not cheap — and bear in mind that these rules apply to both controllers and processors: the cloud isn’t exempt.

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Not cheap — and bear in mind that these rules apply to both controllers and processors: the cloud isn’t exempt. Consent. Users must be asked for consent in clear and precise language, and be able to withdraw consent just as easily.

Users must be asked for consent in clear and precise language, and be able to withdraw consent just as easily. Breach Notification. Users must be notified of all privacy impacting breaches within 72 hours. How many businesses now can even target all their clients in 72 hours, let alone notify them?

Users must be notified of all privacy impacting breaches within 72 hours. How many businesses now can even target all their clients in 72 hours, let alone notify them? Right to Access. Users can demand to know exactly how and where their data is used, free of charge. Anyone see Facebook sharing that info anytime soon?

Users can demand to know exactly how and where their data is used, free of charge. Anyone see Facebook sharing that info anytime soon? Right to be Forgotten. Outside of legal requirements, users can demand their entire data record be permanently removed. Not something most organizations are able to do — even “deleting” a file isn’t sufficient. It needs to be permanently overwritten.

Outside of legal requirements, users can demand their entire data record be permanently removed. Not something most organizations are able to do — even “deleting” a file isn’t sufficient. It needs to be permanently overwritten. Data Portability. Organizations need to produce all user’s data in a transferable format, on demand. Once again, does anyone see this flying with Zuck?

Organizations need to produce all user’s data in a transferable format, on demand. Once again, does anyone see this flying with Zuck? Privacy by Design. This sort of covers all of the above issues. Systems need redesigning, in some cases from the ground up, to make the above possible.

This sort of covers all of the above issues. Systems need redesigning, in some cases from the ground up, to make the above possible. Data Protection Officers. Finally, every organization needs a DPO to be responsible for the above. Lovely. Either more headcount, or more work for some long-suffering Compliance officer.

Like I said — activists and legislators making decisions about things they don’t understand. However, enough moaning about what GDPR is, and let’s get on to the exciting stuff.

Why jump through hoops when you can stroll around them?

Taken to core principles, the ideals of GDPR are noble and praiseworthy — give the user control over their personal data. Let the internet-using multitudes rejoice! — until the more realistic of us who understand the difficulties presented by actually doing this in an environment where data is not shared, but given to organizations.

This passes on a massive and steadily increasing burden of maintenance and oversight to the people with the least interest in spending the time, money or effort needed to properly protect users’ data. It’s sort of like managing the playroom at an IKEA, except visitors can drop their kids off indefinitely and still expect them to be waiting, if and when the parents return.

It’s a lot of work, and even though I personally am all for the ideals of the GDPR, professionally it’s a royal pain.

The good news is that this entire issue can be avoided by entrusting the care of personal data in the user themselves — whom one would assume has the greatest vested interest in keeping it safe and up-to-date.

Photo by rawpixel on Unsplash

Share, don’t give

“So where does blockchain come into this?”, I hear my hypothetical audience muttering. That is an easy one. Blockchain allows us to bypass all the hoops of GDPR by allowing the user to share data without sending it — they can keep all their info in one tidy place, and permission organizations to look in, if they so choose. Total control for the user, no pesky GDPR obligations for organizations. With proper implementation, it should even allow users to monetize their data.

Pretty cool notion, isn’t it? It’s still a long way off, but with our second beta we’re taking a critical first step towards making it a reality.

This beta is a DApp storage solution, of a sort. It actually doesn’t really store anything itself — it encrypts it and stores it in whichever storage center the user chooses, from a nuclear bunker in the Swiss Alps to their personal server in the closet. What it does that is really cool, and solves our little GDPR conundrum, is keep your data both unequivocally safe and simultaneously shareable.

GDPR compliant data storage

By using a decentralized, user-controlled data storage model, key data is never transmitted, merely shared. Each user builds up a store of their identity documents in the storage of their choice, and shares access rights to whichever services need that data. The organization effectively gets what they need, while possession stays with the individual.

It’s a profound shift — analogous in moving from providing a copy of your passport or driver’s license to merely showing it to the relevant authority for validation, then taking it back. Same essential impact, but no trail of personal data left lying around for cleanup.

Let’s look again at that list of GDPR requirements, shall we?

Increased Territorial Scope. Irrelevant because data stays in control of the user. If data must be stored in a specific jurisdiction, it can be put there by the user.

Irrelevant because data stays in control of the user. If data must be stored in a specific jurisdiction, it can be put there by the user. Stiffer penalties. No stored data, no penalty.

No stored data, no penalty. Consent. Data is shared to a specific crypto identity. Revoke access, it’s gone.

Data is shared to a specific crypto identity. Revoke access, it’s gone. Breach Notification. Irrelevant because data stays in control of the user.

Irrelevant because data stays in control of the user. Right to Access. Irrelevant because data stays in control of the user.

Irrelevant because data stays in control of the user. Right to be Forgotten. Irrelevant because data stays in control of the user.

Irrelevant because data stays in control of the user. Data Portability. Irrelevant because data stays in control of the user.

Irrelevant because data stays in control of the user. Privacy by Design. This is the ultimate expression of privacy by design.

This is the ultimate expression of privacy by design. Data Protection Officers. Irrelevant because data stays in control of the user.

Leapfrogging GDPR

What blockchain in general — and Proxeus specifically — can do is empower both end users and organizations to leapfrog the whole messy swamp of legislating data protection by simply keeping data in the hands of its owners, and treating it as credentials to be shown, not a document to be stored. After all, what (non-data mining) organizations want is a validation of a point of fact, not something to store and sell.

It’s reasonable to ask for ID or supporting information in many circumstances — but far fewer require a permanent record of the contents of that ID. In almost all categories covered by GDPR and not exempted for legal reasons, all that is required is a record that certain data was checked, and the result of that check from a functional point of view. For example, it may be required to show that the user age was checked to confirm they are over 18, but there’s no need to record their birthday, or any data beyond “18, Y/N?”

Photo by Agus Dietrich on Unsplash

The power of enlightened laziness

What makes a default GDPR compliant system like Proxeus so compelling to me is that it makes both my personal and professional lives easier. My 40-something, “never share personal info on the internet” conservatism and privacy concerns are resolved, while my professional obligation to do my job to the best of my ability while still respecting other people’s privacy is satisfied.

That’s why solutions like those offered by Proxeus are an excellent answer to a thorny problem — in the end, they are less work. Sure, there’s a support infrastructure to be developed to support it, but that’s inevitable either way. GDPR makes it unavoidable that we must fundamentally change how we handle user data, so we might as well embrace the system which takes it off our desk and puts it in the hands of the users, instead of one that requires constant work.

If you want to see the first step to realizing this, try out the Proxeus beta DApp. It’s fast, easy, and with any luck will give you a little vision about what we can do in the future.

For updates, sign up to our beta mailing list.