GDPR-Compliant Personal Data Management: A Blockchain-based Solution

The General Data Protection Regulation (GDPR) gives control of personal data back to the owners by appointing higher requirements and obligations on service providers (SPs) who manage and process personal data. As the verification of GDPR-compliance, handled by a supervisory authority, is irregularly conducted; it is challenging to be certify that an SP has been continuously adhering to the GDPR. Furthermore, it is beyond the data owner's capability to perceive whether an SP complies with the GDPR and effectively protects her personal data. This motivates us to envision a design concept for developing a GDPR-compliant personal data management platform leveraging the emerging blockchain (BC) and smart contract technologies. The goals of the platform are to provide decentralised mechanisms to both SPs and data owners for processing personal data; meanwhile empower data provenance and transparency by leveraging advanced features of the BC. The platform enables data owners to impose data usage consent, ensures only designated parties can process personal data, and logs all data activities in an immutable distributed ledger using smart contract and cryptography techniques. By honestly participating in the platform, an SP can be endorsed by the BC network that it is fully GDPR-compliant; otherwise any violation is immutably recorded and is easily figured out by associated parties. We then demonstrate the feasibility and efficiency of the proposed design concept by developing a profile management platform implemented on top of a permissioned BC framework, following by valuable analysis and discussion.