We’re back today with a new guide, this time aiming to address a specific topic on privacy, digital identity and GDPR.

What is GDPR?

Privacy and the protection of personal data is an increasingly important topic within the daily debate. The growing awareness of ‘users’ has brought into the international political arena the need to put in place regulations that aim to safeguard certain cardinal principles of Western culture: the importance of privacy and the protection of personal property in the age of the infosphere.

One of the most important regulations in this area, especially for us European citizens, is definitely the Regulation (EU) No 2016/679, which everyone knows as GDPR (General Data Protection Regulation). 

The GDPR was certainly one of the most important regulations in the world related to the protection of personal data. This regulation, through the multitude of its articles, puts in place a set of rules that aim to provide greater privacy and control over the personal data of citizens. Specifically, the GDPR was created to respond to digital macro-trends and the protection of personal data of individuals. The regulation is in fact specific in protecting the digital rights of citizens, consumers, and in general all those who act as ‘natural persons’ and not as professionals (e.g. companies or legal persons). 

Self-Sovereign and GDPR

In previous guides we have explained how digital identity management models have not kept pace with regulation… how many times this month alone have you heard about data being stolen in hacking incidents or companies losing users’ personal data?

The one below is just one example…

Fortunately, as we have already seen, a possible solution to some of the problems that today make the world of digital identities less ‘secure’ exists: Self Sovereign Identity (SSI). 

By allowing users to have full control over their digital identity, the SSI aims to put back at the centre the need to guarantee all the fundamental rights that have so far been forgotten in the design and implementation of the known web. The core principle of this new technological infrastructure is to make people finally ‘sovereign’ of their personal data.

The possibility of not registering and storing any personal data in centralised databases or registers (where they are now mostly used to hold users’ personal data), makes this new identity management model closer to the needs of users on the web and, as we shall see, also for companies that are finally approaching the web.

Coexistence between GDPR and Self-Sovereign Identity

The digital identity models that have existed to date do not coexist well with the current regulations on personal data. 

The arrival of SSI could represent a real revolution in this case: the principles of protection, limitation and minimisation inherent in the IT protocol that makes up SSI are aligned with those of the GDPR, created to protect and limit the use and processing of citizens’ personal data.

Normally, using the Blockchain to store personal data could be potentially dangerous and not aligned with the principles of the GDPR. The Blockchain, as you may recall from the previous guide, is in fact an immutable ledger where data can be publicly displayed. Each type of data, once placed within a block, remains unmodifiable afterwards and, furthermore, can no longer be removed from the chain. These two features, if you think about it, are a big problem; especially when a citizen decides he wants to remove some of his personal data, for instance from the web.

Even Google, as shown below, in order to be in line with the legislation, now allows users to request the deletion of their personal data:

Let us now show how at a general level Self-Sovereign Identity could coexist with this regulation and offer a solution in line with the proposed principles.

As defined in Article 5 of the Regulation, the GDPR is based on six basic principles relating to the protection of personal data:

  1. Fairness and transparency in the processing of users’ personal data.
  2. Limitation in the very processing of data with respect to the purposes for which it is collected: this means that users’ personal data can be used by different companies only for the necessary purposes.
  3. Minimisation of the personal data processed. As above, data must be processed as minimally as possible according to the purposes for which it is processed;
  4. Accuracy and updating of personal data processed, including the timely deletion of personal data that are unnecessary or incorrect according to the purposes of processing;
  5. Data retention for no more time than is necessary in relation to the purposes for which the data are processed; 
  6. Ensuring the integrity and confidentiality of personal data undergoing processing.

Let us now see how the SSI concept behaves with respect to these principles:

  1. Fairness and Transparency: the technologies used by SSI allow users to know exactly how personal data are sent to third parties.
  2. Limitation: SSI allows users to decide what data they want to share with the third party in question at that time and thus to know what data the third party is holding.
  3. Minimisation: SSI allows for what is technically referred to as selective disclosure. This means that the user is only able to send the necessary data, by design.
  4. Updating: as with Restriction, SSI allows data to be verified by third parties without the latter necessarily having to keep it. In this way, online services and companies can be sure that they have verified the necessary data, without having to worry about managing and protecting personal data.
  5. Retention: SSI allows users to retain their information themselves without having to rely on third parties. It can therefore be argued that SSI could bring several benefits compared to current data retention practices for all stakeholders involved.
  6. Confidentiality: confidentiality of data in the SSI is enabled through selective disclosure and the fact that users’ personal data can only be stored if necessary and only after the user’s approval.

Through this six-point analysis we can state that Self Sovereign Identity overlaps perfectly with the data protection principles expressed in the GDPR.

SSI and GDPR Conclusion

The GDPR Regulation is part of a very complex topic that concerns all laws that aim to protect citizens’ personal data. In this first and simple analysis, we have analysed the proximity between the principles proposed by SSI and those proposed by the European regulation. As highlighted above, the SSI seems to be a really interesting paradigm both to protect one’s own personal data and to facilitate companies themselves to comply with the European regulation by means of that.

In the next guides, the topic will be further expanded, so as to try to understand whether, in addition to the basic principles of the regulation, SSI and GDPR can really coexist.