Key Points

1. address use cases for PII, personal usage data etc
2. summarize regs - GDPR, CCPA, TCPA, HIPAA, HL7
3. review opportunity, challenges
4. summarize HLF features related - cryptography, identities, private data, off-chain etc
5. demo cpaper private data

References

Key Concepts

Potential Value Opportunities

Potential Challenges

Organizations Regulating Data Privacy in EU

Dmitrii FilatovDmitrii Filatov• 3rd+• 3rd+💡DPO | Privacy and Data Protection Expert | FIP, CIPP/E, CIPT | 

https://www.linkedin.com/posts/mwrxyz_dsr-dsar-privacy-activity-7117411040195145728-ODlq?utm_source=share&utm_medium=member_desktop

I created a list of useful materials related to the Data Subject [Access] Requests (#DSR / #DSAR).

Please like 👍, save 📨 , and repost 🔁 if you find it useful 🙏
🖱 Click on the bell in my profile 🔔 so you don't miss my new posts with useful information.

🔴 You can find my other collections of #privacy-related materials on Patreon (https://lnkd.in/diSAfZD2).

✒ If you can suggest what could be added to this list, feel free to write in the comments or in DM! 😉

🔶 European Data Protection Board
🔸 Guidelines 01/2022 on data subject rights - Right of access: https://lnkd.in/d2BHmic3

🔶 Office of the Data Protection Authority
🔸 Subject Access Requests (for Data Subjects): https://lnkd.in/dBKRK6WR
🔸 Data Subject Access Requests (for Controllers): https://lnkd.in/dNFPfxbp
🔸 How to respond to ‘subject access’ request: https://lnkd.in/dKpNbGEB

🔶 Data Protection Commission Ireland
🔸 Subject Access Requests: A Data Controller’s Guide: https://lnkd.in/dxBUTbSA
🔸 Data Subject Access Requests – FAQs: https://lnkd.in/d7iWV9DG

🔶 Information Commissioner's Office
🔸 A guide to individual rights: https://lnkd.in/dyMUqF7t
🔸 Right of access: https://lnkd.in/d8m4WM_i
🔸How to deal with a request for information: a step-by-step guide: https://lnkd.in/drURSj2B
🔸 Make a subject access request: https://lnkd.in/dqCWYgRN

🔶 CNIL - Commission Nationale de l'Informatique et des Libertés
🔸 Professionals: how to respond to a request for access rights? [in French]: https://lnkd.in/dsuFZ-Pf

🔶 The DPO Centre Ltd and Exiger
🔸 Tackling Complex Data Subject Access Requests (DSARs): https://lnkd.in/dCFkTKie

🔶 Data Protection Network Associates
🔸 Guide to Data Subject Access Requests: https://lnkd.in/dGV9yGMz

🔶 Integritetsskyddsmyndigheten (Swedish DPA)
🔸 The data subject’s rights: https://lnkd.in/dU39GTcZ

🔶 Osano
🔸 DSARs and Beyond: Managing data privacy rights and responsibilities: https://lnkd.in/dqiqBCFk

🔶 Personal Data Protection Commission (PDPC) [Singapore]
🔸 Guide to handling access requests: https://lnkd.in/d6gWm6TB

EU Study 2020 - Can DLT be reconciled with GDPR?

https://media-exp1.licdn.com/dms/document/C4D1FAQFNjRDa_UFpUA/feedshare-document-pdf-analyzed/0?e=1579921200&v=beta&t=tjfq9vil_cU6TPcRFbsV6SL5ESEpoRln9caq13A_LOY

eu-can-DLT-support-GDPR-2020-study-document.pdf

Thanks @Biser Dimitrov for the report. I agree with the issues raised. GDPR is challenging to comply with. Even more, legal interpretations of key GDPR requirements are not yet settled.

I disagree with the concept that compliance may not be achievable with today's advanced DLT solutions. We looked at scenarios for different interpretations of key features such as "right to erasure" etc and found it possible to engineer DLT solutions that were compliant in all cases. Beyond technology, a compliant solution requires "end-to-end" engineering in most cases. In addition, operation of the solution matters, especially operation and governance on data management and  compliance rules.

Candidate Solutions

Free Google Tool to Find Your Private Data

tool

https://myactivity.google.com/results-about-you. tool

docs on google data privacy tool

https://blog.google/products/search/new-privacy-tools/

https://www.rd.com/article/results-about-you/

In an age when the personal and financial information of billions of people is floating around online, just waiting for data brokers to snap it up and sell it, privacy has become a major concern. Google, a name synonymous with online search, recognized this issue when it announced the Results About You tool in May 2022 before officially rolling it out that October.

Soon, Google will take privacy control further by notifying users when their private information surfaces in searches, enabling them to promptly take action and regain control over their digital footprint. Here’s what you need to know to take advantage of Results About You alerts and avoid potential identity theft.

Microsoft announces the phased rollout of the EU Data Boundary for the Microsoft Cloud begins January 1, 2023

https://blogs.microsoft.com/eupolicy/2022/12/15/eu-data-boundary-cloud-rollout/

Microsoft will begin a phased rollout of our EU Data Boundary solution to public sector and commercial customers in the European Union (EU) and the European Free Trade Association (EFTA).

Microsoft offers data residency and proximity in more locations than any other cloud provider, enabling residency options for the entire Microsoft Cloud suite of online services, including Microsoft 365, Dynamics 365, Power Platform and Azure.

Microsoft will offer customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform and Dynamics 365 services. With this release, Microsoft expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our industry-leading data residency solutions.

In coming phases of the EU Data Boundary, Microsoft will expand the EU Data Boundary solution to include the storage and processing of additional categories of personal data, including data provided when receiving technical support.

Microsoft’s cloud services already comply with or exceed EU requirements, and the EU Data Boundary will further enable public sector and commercial customers in the EU and the EFTA to have their data processed and stored within the region. In addition, with the rollout of the EU Data Boundary, Microsoft will publish new data flow documentation on the new EU Data Boundary Trust Center webpage to provide transparent data insights for customers whose services will be included in the boundary.

Microsoft European Cloud Principles - 2022

https://blogs.microsoft.com/eupolicy/2022/05/18/microsoft-responds-to-european-cloud-provider-feedback-with-new-programs-and-principles/

Blockchain article on GDPR and Fabric - Priti

https://www.cpomagazine.com/data-privacy/gdpr-compliant-blockchain-personal-data-privacy-in-blockchain/

1. Off-chain storage (Private database)
2. Hash or fingerprint of data or metadata on a blockchain (limitations for small-sized data)
3. Anonymization of data (Pseudonymization not permitted)

Private data collection in Hyperledger Fabric

Hyperledger Fabric uses cryptography mechanisms to maintain transaction confidentiality and access control. Fabric offers an in-built facility of using a private database where a hash of private data is stored on blockchain. As hash is a one-way function, guessing the private data from the hash is difficult. To make the hash more resilient to brute-force attack – a. Hashing algorithms generating longer bits like SHA-512 b. random salt with the private data should be used.

Transient field – To maintain the privacy of data while communicating from client to authorized peers in organizations, transient field is used which is excluded in channel transaction.

blockToLive – This property in private data collection defines the lifetime of data on a private database. If the blockchain achieves a certain block height (a value can be set), data automatically gets deleted from the private database and to keep data forever in the private database the value of blockToLive is set to 0. Referring to one of the fundamental rights of GDPR, ‘right to erasure’ is also supported in a controlled way by Hyperledger Fabric.

Step-by-step guide for Example

sample code block

Recommended Next Steps

Related articles