GDPR in software development and blockchain

We are developing a mobile app where we scan documents, ask for data in forms and use blockchain. Data retention, is hashing data enough?

Hashing is a pseudonymization measure according to art 32 GDPR and it is recommended when feasible. However, you should verify if your local Surveillance Authority developed some internal regulation on pseudonymization techniques and assure all the other GDPR requirements such as establishing a precise time frame for data retention.

This article may be of help: 

What do GDPR authorities say about blockchain? https://advisera.com/eugdpracademy/blog/2019/06/24/blockchain-gdpr-compliance-how-its-regulated-by-authorities/

anonymized vs pseudonymized. Are we understanding it correctly? 

In November 2019 a joint paper of European Data Protection Board Supervisor (EDPBS) and the Spanish Agencia  española de protección de Datos (AEPD) was released to help data controller whishing to implement a hash function and being compliant with GDPR. Here you can find the joint paper: Introduction to the hash function as a personal data pseudonymization technique: https://edps.europa.eu/data-protection/our-work/publications/papers/introduction-hash-function-personal-data_enIn that paper, hash function has been defined as a pseudonymization technique because all personal data can be accessible by adding some information by the data controller.  The paper suggests implementing hash function with encryption in order to better protect personal data.Art. 32 GDPR rules the security of processing and suggests implementing when appropriate, pseudonymization and encryption which are considered "appropriate technical and organizational measures to ensure a level of security appropriate to the risk." 

On the contrary, anonymized data are personal data which have been transformed so far that personal information is no more accessible even to the data controller. Anonymized data are outside the application of GDPR. In fact, paragraph 26 on the preamble of GDPR states that: "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes." https:/eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=IT#d1e3373-1-1

Art 32 GDPR: https://advisera.com/eugdpracademy/gdpr/security-of-processing/Here you can find our Anonymization and Pseudonymization Policy: https://advisera.com/eugdpracademy/documentation/anonymization-and-pseudonymization-policy/ 

data access by personell. Is it ok that developers and database admin can see some of the data 

Data access by employees is not directly ruled by GDPR. It is up to the data controller to establish permissions of data access. The access should be on a need-to-know basis, and the access will be allowed after the risk assessment is performed and adequate technical and organizational safeguards are implemented.

You can have some reference on how to handle access control according to ISO 27001 standard in this article: https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/  

how to know when data is misused, mis-accessed, or breached? 

A Data protection policy helps the company to find these violations. Establishing a procedure to tell your employees not to “use customers data outside the reasons customers provided” or “not to open emails from unknown senders and report it to their superior”, keeping access-log to data, establishing levels of access to data (i.e. HR cannot access to customers database), help to defend against miss-access. Lastly, firewalls, antimalware, antivirus are among the most common security measures to prevent data breaches, along with software and hardware updates, and any measure that ensures integrity, availability, and security of data. 

are we a data processor or controller? 

Mostly depends on data you are processing. According GDPR data controller is the person who determines the purposes and means of processing, while data processor is someone who carries out processing on behalf of a data controller (for reference see articles 24-31 GDPR). Article 28 GDPR on the data processor requires a contract between the data controller and its processor and requires that the data controller provides instructions on processing in order to ensure coherent processing with its own rules (the data controller will be responsible). This can have a huge impact on software company which may risk to receive different rules from each customer, if they consider themself as a data processor.

Some of app and software developer, however, prefer to be joint controller under article 26 GDPR stating that: "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects."

This solution helps software developers to determine by themself the perimeter of data processing to the software and limit the controller (the app user) request over data processing. 

Here you can find more information:

EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/Free Whitepaper on GDPR Checklist of mandatory documents: https://info.advisera.com/eugdpracademy/free-download/checklist-of-mandatory-documentation-required-by-eu-gdpr

You can also find some useful information in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

This is a great and very useful answer Alessandra!

And right in time. My organisation has decided to partake in the EBSI initiative (European Blockchain Service Infrastructure).

Some people in the organisation have a pilot node running, and this was done without consulting with the CISO & DPO and now questions are being raised. Particularly concerning how compatible blockchain can be with someone requesting his data to be rectified or deleted... as that is precisely one of the key elements of blockchain technology: you cannot delete things.

1) Do you happen to have any references discussing this? The compatibility between GDPR and blockchain technologies?

2) Do you happen to know how to proactively integrate this technology into the ISO 27001 framework, as I'm sure the next ISO 27001 version will have to take it into account regarding security and privacy issues.

Max

This is a great and very useful answer, Alessandra!
And right in time. My organization has decided to partake in the EBSI initiative (European Blockchain Service Infrastructure).

Some people in the organization have a pilot node running, and this was done without consulting with the CISO & DPO and now questions are being raised. Particularly concerning how compatible blockchain can be with someone requesting his data to be rectified or deleted... as that is precisely one of the key elements of blockchain technology: you cannot delete things.

Your CISO and DPO raised the point of tension between GDPR and blockchain. The question is under discussion among Data Protection Authorities. Most depend on the kind of blockchain you are implementing (public, private, permissioned?). However, you need to make a Data Protection Impact Assessment and structure the project following the principle of privacy by design and privacy by default (can data be anonymized or encrypted? Can you store personal data off-chain?). You also need to make clear in your privacy notice that you are using blockchain in order to be transparent with your users and make them aware of the impact of their actions on their rights.

Then, the main suggestion arrived are:

• Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption, and aggregation techniques in order to anonymize data
• Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks.
• Consider personal data carefully when connecting private blockchains with public ones
• Continue to innovate and be as clear and transparent as possible with users.

Do you happen to have any references discussing this? The compatibility between GDPR and blockchain technologies?

You can find some information on blockchain and GDPR in these articles:

• The GDPR impact on blockchain development: https://advisera.com/eugdpracademy/blog/2019/06/10/gdpr-and-blockchain-how-do-they-impact-each-other/
• What do GDPR authorities say about blockchain? https://advisera.com/eugdpracademy/blog/2019/06/24/blockchain-gdpr-compliance-how-its-regulated-by-authorities/

Do you happen to know how to proactively integrate this technology into the ISO 27001 framework, as I'm sure the next ISO 27001 version will have to take it into account regarding security and privacy issues.

ISO 27001 can help you to implement risk assessment, identify vulnerabilities, and implement action required. You should use principles and guidelines provided to implement processes considering the particular structure of the blockchain.

You can find some useful information in our free whitepaper EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help