There is still a big buzz about the upcoming enforcement of the European General Data Protection Regulation (GDPR). Data Protection Officers are in high demand within the tech industry, as organizations that handle personal data of European citizens have to follow GDPR requirements by May 25th, 2018.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. — www.eugdpr.org

In this article, we summarize important aspects of the GDPR in context of the development of MADANA – the blockchain-based marketplace for data analysis. Naturally, the management, processing, and protection of data is one of our main objectives. We are building a platform where data producers keep control of their data and are able to give consent depending on context. Using the MADANA platform for data analysis will make the data processing GDPR compliant.

Recent examples of impactful data breaches and data abuse, like the Facebook and Cambridge Analytica scandal or the huge personal information breach at Equifax, emphasize the importance of privacy preservation and data protection. With GDPR this finally becomes a relevant topic for people and businesses alike.

What will be changed by the GDPR?

Since the GDPR is a complex document, we focus on the most important changes and requirements for businesses. There are three major changes:

Firstly, the jurisdiction of the GDPR will be extended to a worldwide scope. Starting May 25th, the rules of the GDPR apply to all companies that process personal data of European citizens.

Secondly, the penalties got refined. Organizations (controllers and processors) can be fined up to 4% of annual global turnover or €20 million depending on whichever is greater. In theory, this should help the adoption of the GDPR requirements, even for smaller subcontractors.

Lastly, the conditions for giving consent are strengthened. Previous to the GDPR the consent was given by agreeing to terms of use which were using hard to understand legal terminology and were rather lengthy. Following the GDPR, the request for consent must be given in an intelligible and accessible form using clear and plain language. Moreover, the conditions are now unified across states in the EU.

The following graphic illustrates the main implications for businesses, covering the rights of data subjects as well as organizational obligations.

Data Protection Officers (DPO)

Data controllers who utilize large-scale data monitoring have to assign a DPO who keeps a record of the internal data processing. This is done to lower bureaucratic obstacles and clarify responsibilities.

Data controllers who utilize large-scale data monitoring have to assign a DPO who keeps a record of the internal data processing. This is done to lower bureaucratic obstacles and clarify responsibilities. Right to be Forgotten

A data subject can require the data controller to delete personal data and stop its processing by third parties.

A data subject can require the data controller to delete personal data and stop its processing by third parties. Data Portability

Data subjects can demand their data in a commonly used, machine-readable format and are allowed to share the data with other controllers.

Data subjects can demand their data in a commonly used, machine-readable format and are allowed to share the data with other controllers. Privacy by Design

Data controllers shall protect personal data by system design, not as an addition. Controllers are required to only collect the required information and have to follow the privacy data minimization. Therefore, data retention without necessity is not allowed.

Data controllers shall protect personal data by system design, not as an addition. Controllers are required to only collect the required information and have to follow the privacy data minimization. Therefore, data retention without necessity is not allowed. Breach Notification

Within 72 hours data breaches must be communicated to all affected member states of the European Union.

Within 72 hours data breaches must be communicated to all affected member states of the European Union. Right to Access

A data controller must provide information to the data subject whether or not personal information is being processed, where and for what purpose. A copy of the data in a digital format has to be provided for free. This measure greatly enhances data transparency.

Realize GDPR conform data analysis with MADANA

We at MADANA want to make it as easy as possible to participate in a fair and open data market while preserving privacy by design. On the one hand, MADANA will help data producers to keep control of their data, contributing to the greater good and getting a fair share of its worth. On the other hand, MADANA will provide benefits to data processors and data analysis buyers.

Businesses that use the MADANA platform have not to worry about handling the data analysis themselves since MADANA will provide a GDPR compliant way to store and analyze data. They save time and effort to completely rewrite old tools. Also, businesses can be sure to use only data that is consciously provided for data analysis.

Nowadays data breach notification is in the hands of the company that controls the data and is often delayed or changed due to brand damage control. Blockchain-based systems like MADANA prevent a number of possible data breaches by using decentralized databases that store individually encrypted data. Encrypting the data locally not only provides control to the data producer but also reduces the chance of future breaches.

The data producer is gaining the right to access all collected data of himself and will be able to take this data elsewhere. Data portability allows data producers to easily migrate the existing data to another system. Therefore data producers are legally allowed to use the already collected data in the MADANA network. Since the data has to be provided in a ‘common digital format’ the transfer can be easy and fast. MADANA is even able to provide tools to automize this process in the future. This enables European data producers to instantly gain more control over their data and start monetizing it as soon as the MADANA network goes live for the public. Therefore, businesses are potentially able to use a relevant dataset from the beginning.

A big challenge for companies is the proper implementation of privacy by design measures. To do that existing programs have to be precisely checked, partially rewritten and tested. This process can take a lot of time and effort, which could cost companies in the data controlling market their competitive advantage.

MADANA started with a clean slate by building a privacy-preserving platform for data analysis from the ground up. To always keep the data producer in control of their own data, the raw datasets are encrypted locally. The access is only possible by having the private key, which is kept by the data producer himself. Therefore approval of the data producer is needed, before analyzing the data in the MADANA network is possible. Moreover, the design of MADANA automatically fulfills the requirement of having the right to be forgotten. All the data producer has to do, is revoking access by not providing the private key. This can be done with the ease of a switch.

If we go through the GDPR, it becomes clear that MADANA can offer solutions to quite a few of its requirements and solve real-world problems which many companies are facing. The majority of topics in the GDPR is about the protection and enforcement of the data subjects rights. In the MADANA network, each data producer has to ensure to be the data subject. You can imagine the data subject might not be the data producer in some domains. For example when taking a picture of a person: Photographer Alice (the data producer) takes a picture of model Bob (the data subject). However, in the data analysis domain, most data will be collected automatically over time, where the data producer is the legal data subject. This enables us to have an easy and transparent process for managing individual consent for data analysis.

In a nutshell, MADANA will provide:

A privacy-protecting and GDPR compliant way to store and analyze data

An open platform enabling new ways to analyze data

An intuitive way to give and revoke consent to use personal data

Fair by clearly defined rules and transparent rewards

Conclusion

MADANA takes privacy seriously from the beginning, which is why we are prepared for GDPR requirements without specifically preparing for it. The GDPR is legally enforcing rights for data producers as well as highlighting the importance of data protection and privacy preservation. It provides even more reasons for businesses to make use of MADANA in the future. Together we will create a future where data analysis is possible in a fair, secure and privacy-protecting way.

Stay up to date

Visit our Website www.madana.io

Read the latest MADANA news on Twitter, Facebook or Linkedin

Join the MADANA Community on Reddit and Telegram