https://ssimeetup.org/impact-gdpr-blockchain-ssi-silvan-jongerius-webinar-23/ Silvan Jongerius is the Managing Partner at TechGDPR a boutique consultancy for data protection, privacy, and GDPR in deep tech with a strong focus on blockchain. He is also the Founder and President of BerChain a non-profit organization aimed at connecting the blockchain scene in Berlin and promoting Berlin as the blockchain capital. Building on the experience of consulting many blockchain projects with GDPR, Silvan Jongerius will talk about the specific challenges and opportunities of the GDPR related to self-sovereign identity. He will provide a high-level introduction to privacy, data protection and the requirements of the GDPR and their interpretation, to give the attendees an overview of the regulatory situation. After this introduction, we will explore the particularities of this regulation relating to decentralized technology, blockchain, immutable ledgers and in particular self-sovereign identity solutions. Naturally, there are many challenges, but there are also opportunities, perhaps even to over-comply on the GDPR and setting a new standard for meeting its principles.

1. The impact of
the GDPR on
blockchain & SSI
Silvan Jongerius - Managing Partner
Silvan Jongerius / @silvanjongerius / @techgdpr / silvan@techgdpr.com
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).
SSIMeetup.org

2. 1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
SSIMeetup.org
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
SSIMeetup objectives

3. • Discovery Workshop
• Data Mapping
• GDPR Assessment & Report
• DPO-as-a-Service
• Privacy by Design Consulting
• Staff / Developer Training
GDPR for DeepTech
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

4. @techgdpr
GDPR for DeepTech
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).
https://www.forbes.com/sites/darrynpollock/2019/01/31/zcash-out-to-prove-privacy-is-key-to-crypto-adoption-with-gdpr-avoiding-use-cases/#

6. About Privacy
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

7. @techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

8. European Convention on Human Rights
Article 8.1: Everyone has the right to
respect for his private and family life, his
home and his correspondence.
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

9. Privacy & Information Asymmetry
Corporations
Government
Individuals
Startups
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

10. Facebook 2010:
Privacy is no longer a social norm
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

11. Facebook 2018:
“Data Privacy”
Facebook 2019:
Researching blockchain identity
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

12. Giovanni Buttarelli,
European Data
Protection Supervisor
“There might well be a market for personal data, just like
there is, tragically, a market for live human organs, but that
does not mean that we can or should give that market the
blessing of legislation.”
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

13. The GDPR
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

14. Fines & Risks
@techgdpr
• Up to 20 Million Euro
• Or 4% of annual world wide group turnover
• Whichever is higher
• Disclosure requirements: reputation
• Order to stop processing
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

15. 1. lawfulness, fairness and transparency
2. purpose limitation
3. data minimisation
4. accuracy
5. storage limitation
6. integrity and confidentiality
7. accountability
Principles (Art 5)
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

16. Risk-based approach
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

17. Scope
• Data of natural persons in the EU
• Personal Data
• Pseudonymised, but not anonymised
• Not: for household use
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

18. Personal Data
@techgdpr

19. Behavioural Patterns
@techgdpr
• Meta data can re-construct patterns leading to Personal
Data
• Large datasets have a high risk of leaking meta data
• Location data can help constructing whereabouts that
can lead to identification
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

20. Personal Data Breach
?
‘personal data breach’ means a breach of security
leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise
processed;
Article 4 (12) GDPR
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

21. Breaches & Notifications
• Risk: Notify authorities within 72h
• High risk: Notify affected subject
(reputational risk)
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

22. Controller/Processor Roles
• Clearly defined roles
• the Controller determines the purposes and means of the
processing of personal data
• the Processor processes personal data on behalf of the
controller
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

23. Legal base for processing
A. Consent
B. Performance of a contract
C. Legal obligation
D. Protect vital interests of subject
E. Task in the public interest/authority
F. Legitimate Interest*
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

24. Valid consent?
@techgdpr
How was it collected?
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

25. Consent
@techgdpr
• Freely given
• Specific
• Informed
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

26. Valid Consent: UX
@techgdpr
• Promoted choice
• Bundling
• Illusion of choice
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

27. Subject (Access) Rights
1.Right of information
2.Right of access
3.Right of erasure
4.Right of rectification
5.Right to data portability
6.Right not to be subjected to automated decision making.
7.Right to object
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

28. Personal data,
blockchain & SSI
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

29. Public Permissionless Public Permissioned
Private Permissionless Private Permissioned
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

30. Controller & Processor in Blockchain
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

31. Right to erasure & rectification
@techgdpr
• Right of erasure (Article 17)
• Right of rectification (Article 16)
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

32. Encrypting on-chain personal data?
@techgdpr
• May be broken in the future
• Encryption is a ‘technical measure’ not a way to
move it out of scope of the GDPR.
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

33. “How about those hashes?”
518c4ae77dda05590f2789ec0d598d119f947001ceacc30ef1cadb8ceef4ebca
Hash Function
Can I store hashes of personal data?
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

34. SILVAN
JONGERIUS
a8dc5a7432088955c01dd420b5e2a2e17a1fc3e15901f6d76ecddad95a20fa5b
@techgdpr
Passport
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

35. Guidance
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

36. https://www.cnil.fr/sites/default/files/atoms/files/blockchain.pdf
@techgdpr

37. Opportunities
of GDPR in blockchain
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

38. GDPR compliance tracking
@techgdpr
• Immutable history of events
• Consent given or revoked
• Record of processing activities
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

39. Alternative Governance Models
@techgdpr
• Clarity on roles
• Contractual way to enforce rights
• Only within Europe
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

40. Contracted Nodes
@techgdpr
• Transparency
• Control
• Purpose limitation
• Data minimisation
• Storage limitation
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

41. Self-Sovereign Identity
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

42. Self-sovereign Identity
@techgdpr
• What is stored on-chain and off-chain?
• Who is responsible for personal data?
• On-device personal data may still be in scope of the
GDPR
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

43. Zero-knowledge proofs
@techgdpr
• Minimised amount of personal data revealed
• High level of control over personal data
• Need-to-know basis
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

44. GDPR principles and SSI
@techgdpr
• Transparency
• Control
• Purpose limitation
• Data minimisation
• Storage limitation
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

45. GDPR & SSI
@techgdpr
• Powerful tool for privacy protection
• Visionary alignment with GDPR
• Foundation technology
• Both promote the free flow of data
• Layer of trust and autonomy
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).

46. Letter of the law
Spirit of the law?
@techgdprThis presentation is released under a Creative Commons license. (CC BY-SA 4.0).

47. Silvan Jongerius / @silvanjongerius / @techgdpr / silvan@techgdpr.com
Thank
You
DPO Service - GDPR Assessment - Privacy by Design
Data Protection Impact Assessment
for Blockchain, AI & IoT
This presentation is released under a Creative Commons license. (CC BY-SA 4.0).