How Core Tech makes GDPR Compliance a Challenge for Datacentric Companies

This year marks the fourth anniversary of GDPR’s implementation. The General Data Protection Regulation, which gives European Citizens greater control over their personal data and how it’s used, is inspiring similar regulation worldwide, and forcing enterprises to consider whether the technologies on which they’ve built their business pose a threat to compliance. 

Cloud computing’s challenge to GDPR compliance 

The trend towards cloud shows no signs of slowing. It reduces costs and pools expertise – but relies on organisations transferring subject data to third-party infrastructure, while maintaining their legal responsibility for its use or abuse. 

But this need to rely on third parties not to expose the enterprise to legal recourse that’s no reason to snub cloud entirely. As Deborah Moir writes at BT, “controls such as information rights management (IRM), cloud access security brokers (CASB) and cloud data-loss prevention (CDLP) can offer the same (or better) security than on-premises solutions.” 

Nonetheless, clients must ensure their cloud providers’ safeguards are adequate and their practices compliant, while developing their own contingencies for relocating workloads should they be found to be lacking. 

“In the past, selection of IT vendors was determined first by cost and second by security,” explains Comforte AG. “However, given the potential for such high fines, cost can no longer be judged without considering security. This makes GDPR compliance a nonnegotiable requirement when selecting IT service providers.” 

“The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data),” says Michael Nadeau at CSO Online. “A third-party processor not in compliance means your organization is not in compliance [so] all existing contracts with processors (e.g., cloud providers, SaaS vendors, or payroll service providers) and customers need to spell out responsibilities [and] contracts also need to define consistent processes for how data is managed and protected, and how breaches are reported.” 

Enterprises must therefore choose their cloud providers with care, and be mindful of their obligation under GDPR to inform their own customers should a breach occur. This is true, even if the enterprise isn’t responsible for the breach itself, however great the potential reputational damage. 

AI and its implications for GDPR compliance 

The same rules apply, even when cloud use is restricted to internal jobs, like accounting, HR and payroll, since GDPR makes no distinction between employee, customer, and client data subjects. Technologies that enable data tracking within the workplace, or facilitate remote working, are therefore likely to result in a high risk of harm to individuals, according to the UK Information Commissioner’s Office (ICO).  

These sit among several other established or emergent technologies identified by the ICO, including ‘invisible processing’ through online advertising and the re-use of third-party and publicly available data, and the deployment of AI and machine learning (the former of which looks set to be subject to additional regulations beyond the scope of GDPR). 

Such technologies – and AI in particular – are finding a home within the enterprise, with uses now straying beyond their established roles in facilitating risk management for insurance and related industries. Examples include: 

• AI is increasingly used for pre-screening of candidates applying for jobs. Care must be taken not to misuse subjects’ personal data during the process, not to discriminate unfairly, and to allow individuals to challenge decisions made by AI. 
• Technology that employs data matching, in which multiple data sets are used simultaneously, or for comparison, for purposes as diverse as direct marketing and fraud prevention, must be handled with care, and require the completion of a Data Protection Impact Assessment (DIPA). 
• A DIPA is also required when tracking emotional response and brain activity, or when using technology to perform credit checks and decide on mortgage applications. 

GDPR and blockchain technology 

Blockchain technology is most commonly associated with the administration of cryptocurrencies. In this realm, the blockchain’s contents are duplicated across an unknowable number of servers, and frequently cross national borders. At first glance, therefore, the technology would appear to be incompatible with the requirements of GDPR. 

Moreover, as the EU itself explains, “GDPR is based on an underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. These data controllers must comply with the GDPR’s obligations. Blockchains, however, are distributed databases that often seek to achieve decentralisation by replacing a unitary actor with many different players. The lack of consensus as to how (joint-) controllership ought to be defined hampers the allocation of responsibility and accountability.” 

While the EU sees some opportunities for blockchain technology to facilitate compliance with GDPR – particularly where they enable data subjects to maintain greater control over their personal data – “the relationship between the technology and the legal framework cannot be determined in a general manner but must rather be determined on a case-by-case basis”. 

Private blockchains, for example, when used solely within a single enterprise, can be as secure and compliant as regular databases – while permissioned blockchains allow extended access, but with greater safeguards than would be possible in the public model.  

Blockchain is still a relatively young technology, and GDPR a relatively new regulation, and it will take some time to fully understand how the two intersect. How a data subject’s request for their data to be removed from the blockchain – or amended – should be handled, for example, is a point of discussion. 

“The right to rectification could be exercised by adding a new block with rectified data to the chain, without deleting the block containing the incorrect personal data, although there is no court precedent or any official guideline on whether this solution meets the requirements of the GDPR,” says the International Association of Privacy Professionals. 

Introducing new technologies 

This case-by-case approach to compliance is not unique to blockchain technologies. Whatever new technology enterprises are implementing, GDPR must remain a core consideration. It is now, says RiskLogix, “a legal requirement for firms to adopt a privacy by design approach in new product development. Firms must carry out a Data Protection Impact Assessment (DPIA) as part of new product development programmes in many circumstances.” 

As Steven Bliim warns, this can impact toll-out schedules, since “the requirement to perform DPIA and other assessments make it necessary for some companies to heavily change their current schedules and operational mechanisms to implement the famous GDPR-related ‘by default’ security principle for all of the processed data.”