A brief description of the impact the General Data Protection Regulation (GDPR) could have on the proposed move towards a digital economy, especially for the Caribbean

1. Impact of the GDPR on the Pre-
dominant Business Model for
Digital Economies
Rishi Maharaj
Executive Director
EquiGov Institute
www.equigov.com; rishi@equigov.com

2. Digital Economy and Data

3. Business models of the digital economy
Based on digital technologies (networking, communication etc.) that
provide the platform (infrastructure) over which people and
organizations interact and collaborate.
Digitized products
Digitized financial transactions
Everyday objects and appliances equipped with computing capabilities

4. Business models of the digital economy
 The digital economy is divided into the internet economy and the ‘classic’
information and communication technology industry. Innovative business models of
the digital economy are based on software- and internet-based technologies such
as cloud computing or the analysis of large quantities of data (big data).
 Users’ data enable companies to analyse customer preferences and in this way to
offer and further develop user-optimised advertising, products and services.

5. Data & Digital Economy
We have for the first time an economy based on
a key resource [Information] that is not only renewable,
but self-generating. Running out of it is not a problem,
but drowning in it is.
– John Naisbitt
Data is the new Oil. Data is just like crude. It’s
valuable, but if unrefined it cannot really be used.
– Clive Humby, DunnHumby

6. Personal Information captured by Data
Our personal digital footprint, an ineradicable record of
every electronic interaction, just keeps increasing. Your
email traffic, internet search history, geotagged images
on our smartphone and social media sites, retail
purchases, loyalty program transactions, invoice
payments, toll road payments and medical records all
add to the unique tread that makes up the footprint.
People’s day-to-day movements are often so predictable
that even anonymised location data can be linked back
to identified individuals with relative ease when it is
correlated with other outside information. Apparently our
movement patterns are so repetitive and predictable that
as few as 4 data points that include date and time are
enough to identify an individual.

7. What is Data/Privacy Protection
 Data protection is about safeguarding our fundamental right to privacy,
which is enshrined in international and regional laws and conventions.
 Data protection is commonly defined as the law designed to protect
your personal information, which is collected, processed and stored by
“automated” means or intended to be part of a filing system

8. Why is it is needed?
 Every time you use a service, buy a product online, register for email, go to your
doctor, pay your taxes, or enter into any contract or service request, you have to
hand over some of your personal information. Even without your knowledge,
information about you is being generated and captured by companies and
agencies you are likely to have never knowingly interacted with. The only way
citizens and consumers can have confidence in both government and business is
through strong data protection practices, with effective legislation to help minimise
needless monitoring by officialdom and regulate surveillance by companies.

9. GENERAL DATA PROTECTION
REGULATION

10. What is GDPR
 A new and updated EU wide legal framework focusing on personal data privacy which became effective on May
25. This new framework has taken a sweeping and stringent outlook on the way personal data is used by
businesses and will drastically transform and impact the business of any digital venture.
 The main goals of GDPR aims primarily to give control to citizens and residents over their personal data and to
simplify the regulatory environment for international business by unifying the regulation within the EU. It was
adopted on 14 April 2016, and after a two-year transition period is now in force.
 It introduces new procedural and organizational obligations for "data processors" - including corporate as well as
public entities, and gives more rights to “data subjects” - the term it uses for individuals.
 Besides setting out what is or isn’t allowed, the GDPR also specifies organizational guidelines that data processors
will need to adopt from now on.

11. Rights enshrined under GDPR

12. Rights enshrined under GDPR

13. GDPR Global Reach
 Although GDPR focuses on protecting data subject within the EU, its reach in implementation would be global.
Data processors located outside the EU that handle the personal information of EU residents will have to abide
by it.
 The broad territorial scope of the GDPR is enshrined in Article 3. Under Article 3, the GDPR applies to the
processing of personal data of EU data subjects where:
 The controller or processor is established in the EU (even if the processing does not take place in the EU) or
 The controller or processor is not established in the EU but a) Offers goods or services to EU data subjects (irrespective of
whether payment is required) or b) Monitors the behaviour of data subjects in the EU.
 Additionally as part of its international trading deals, which would also incorporate data flows, any country
wanting to sign a trade deal with the EU will have to sign up to respecting GDPR and also have implemented
within its jurisdiction similar legislative provisions.

14. Blockchain and GDPR

15. Blockchain and GDPR
 At the time the GDPR was conceived, we lived in a world of centralized cloud services and data collection
business models that continue to persist as the main source of Internet-based revenue for companies.
Since then, decentralized technology has developed rapidly, and may require adjustments to the GDPR
framework. Applying the GDPR to decentralized technology like blockchains is complicated, as they
complicate the distinction between server and user
 The major difference between blockchain and most cloud computing environments is that blockchain
systems do not rely on a single provider of storage or computing resources. Each user of the blockchain
uses his or her computing resources, on a peerto-peer basis. Moreover, each user has a complete copy of
the distributed ledger on his or her own computer. Consequently, the user of a blockchain system may at
the same time be data controller for the data that he or she uploads onto the blockchain, and data
processor by virtue of storing the full copy of the blockchain on his or her own computer.

16. Do blockchains process personal data?
 The nature of the public blockchain means that every transaction taking place will be published and
linked to a published public key that represents a particular user. That key is encrypted so that no one
who views the blockchain would be able to directly identify the individual or corporate entity that
represents the user.
 However, the re-use of the public key enables individuals to be singled out by reference to their public
key, even if they cannot be directly identified. Indeed the very purpose of the public key is to single
out the authors of a given transaction, to ensure that transactions are attributed to the correct people.
The public key, when associated with an individual, will likely qualify as personal data for the purposes
of European data protection legislation.

17. Do blockchains process personal data?
 In 2014, the Article 29 Working Party, provided guidance on the difference between pseudonymised and
anonymised data in its Opinion 05/2014 (WP 216). This distinction is important in relation to blockchain as data
protection rules do not apply to anonymised data; as such data cannot be traced back to a living individual.
However, the threshold for data to qualify as anonymised is very high.
 Because hashing permits records to be linked, hashing will generally be considered a pseudonymisation
technique, not an anonymisation technique. This high standard will continue to apply under the European
General Data Protection Regulation.
 Encrypted personal data can often still be traced back to a person if enough effort is put into it by experts or
someone holds the key to decryption. Therefore, encrypted data will often qualify as personal data and not as
anonymous data. This means that in most instances the privacy rules will be applicable to at least some of the
data involved in blockchain systems.

18. Final Thoughts

19. Businesses at greatest risk
Social media – Facebook, Twitter, Linked In
Banks and other financial institutions
Online retailers
Travel companies
Energy Businesses
Medical
klgates.com19

20. Business approach
 Full compliance:
 Data audit
 Draft policies
 Carry out impact assessment for particular projects
 Appoint data protection officer
 Part compliance
 Put basic policies in place
 Zero compliance
 Ignorance or intentional klgates.com20

21. Thank You