Angelo Schalley, Solutions & Architecture Lead at Protocol Labs, delves into GDPR and compliance within the Filecoin ecosystem. He explores the essentials of GDPR requirements, its significance, pinpoints gaps in compliance, and shares strategies on effective ways to meet them.
In this video, Angelo Schalley leads a discussion at FIL Dev Summit regarding GDPR and Compliance and how it relates to Filecoin. He starts by debunking some myths around GDPR, such as “it only applies to the legal department”, “it's only for Europe”, and “it's only about personal data”. GDPR affects any company handling EU citizen's personal data. Key aspects of GDPR are transparency, having justification for storing/processing data, data security, auditing, and clear privacy policies. Personal data includes information that can identify an individual like name, address, IP address, etc. The steps for GDPR compliance are finding all personal data, ensuring access to it, governance so all employees understand compliance, protection through encryption/anonymization, and auditing. For Filecoin, immutable data helps with supporting compliance requirements. Encryption would need to be implemented before ingesting data. Using CIDs provides some anonymity. Being transparent about any 3rd party processing is important. A DPO (data protection officer) provides a point of contact on compliance.
GDPR Myths: There are myths that GDPR only applies to legal/IT, only applies to Europe, and is only about personal data, but it affects any company handling EU citizen data globally, and related fines can be 4% of revenue.
GDPR Basics: Key aspects of GDPR are transparency in handling personal data, having justification for processing it, data security through encryption/anonymization, auditing, and clear privacy policies. Personal data includes info to identify an individual.
GDPR Compliance Steps: Main steps are finding all personal data, ensuring access to it across the company, governance so employees understand compliance, protection through security measures, and auditing.
Filecoin and GDPR: Filecoin helps by providing immutable data. Encryption needs to be implemented separately. CIDs provide some anonymity. Need transparency on 3rd party processing. Should designate a DPO.
- Look into developing a GDPR Code of Conduct to build trust in compliance across the ecosystem.
- Discuss having a starting point document on recommendations for GDPR compliance.
- Dive deeper on data portability, deletion, and access control relating to Filecoin.
- Storage providers should look into how GDPR compliance can be achieved on their offerings.
- Teams building data onboarding tools also need to consider GDPR compliance as part of their responsibilities.