Data Processing Manager:
The blockchain for storage of privacy consents

Lutech’s solution consists of using a “distributed ledger” blockchain to guarantee certain data and content for the set of Data Subject consent approval/denial records collected by a Controller for the processing of personal data.
The solution makes use of technology specifically developed for the reliable, transparent and controlled management of any type of data transaction. We are talking, of course, of a decentralized peer-to-peer network and a public ledger: the blockchain.

The GDPR (General Data Protection Regulation, EU 679/2018), in force since 25 May 2018, is the first – widely recognized and popular – attempt to put the digital rights of Internet users before other private, economic and political interests. 

The use of any digital tool and Internet services inevitably leaves tracks and, especially in recent years, we have come to realize what a valuable asset these represent. Above all if a company has chosen to embrace data-driven and customer-centric paradigms. The combination of the two, indeed, inevitably acts in the sphere of personal information and involves the technological field of Data Processing Management. 

Today, companies are able to build their businesses around the collection, monitoring, storage and exchange of personal and business data, systematically processing behavioral patterns, preferences and consumption habits on a mass scale. What’s more, emerging business models mean that the management of these data and the collection of consent records required for their use is carried out in a digital, and therefore totally dematerialized, manner.

Clearly regulated by the GDPR, the use of personal data is now subject exclusively, and in a non-delegable manner, to the Consent to Data Processing, or in short “Privacy Consent”, mechanism. Any company that acts as a Data Controller for personal data in any way – and this applies to virtually any organization, public or private – must be able to demonstrate that it is authorized to perform any specific processing, including “Disclosure to Third Parties”, i.e. any transfer to third parties for commercial and operational purposes. It is understandable that, in this potentially infinite chain, there is a high risk of a certain loss of control by the subject to whom the Personal Data refer. 

Where Privacy Consent records are collected and stored only in a digital format, the validity and value of the evidence is subject to compliance with technical requirements that requires their preservation through “appropriate measures” (Article 32(1) of the GDPR) – this does not relate to the risk of the data being lost or compromised, but rather requires the Controller to show that they hold the appropriate records of the consent given by the data subjects.

With regard to data traceability, it is interesting to note the curious conflict of interest involving the company that processes data: it is the Data Controller and therefore the beneficiary of the Privacy Consent record collected digitally, but at the same time stores data in digital format, which means that it has full and unlimited control over data – unless it has put in place adequate measures of self-limitation, which ensure time stamping and read-only access.

In the event that they are unable to prove that they have applied the aforementioned appropriate measures, processors of Personal Data will be held liable and penalized since they cannot provide proof that the consent record they hold digitally was collected on a certain date and has not been modified in the meantime.

It is clear, therefore, that an audit could put virtually any company in the world under the microscope. If the company in question is not adequately equipped in terms of both skills and technologies, the risk of penalties that, remember, can also be calculated as a percentage of turnover, is high.

Since the GDPR was first introduced, Lutech has offered a solution designed specifically to protect companies from the risks of inadequate storage of digital “Privacy Consent” records. This solution uses a technology specifically developed for the reliable, transparent and controlled management of any type of data transaction. We are talking, of course, of a decentralized peer-to-peer network and a public ledger: the blockchain.

Lutech’s solution consists of using a “distributed ledger” blockchain to guarantee certain data and content for the set of Data Subject consent approval/denial records collected by a Controller for the processing of personal data, exclusively for specific purposes and in accordance with precise methods. Indeed, protection from alteration and time stamping – intrinsic to and associated with any blockchain transaction – can and should be considered “appropriate measures” under the GDPR.

Lutech’s PCS (Privacy-Consent-Server) solution is a blockchain-based technology platform which allows any company that processes data to certify the “certain date” and “content” of Privacy Consent records gathered on its digital platforms from anyone interacting with them.
In particular, on the permissionless blockchain managed by the platform, a new transaction is added, which includes the encryption key (hash) created in a structured manner on the basis of the following data:

• The NDG code of the Data Subject (the client who provides/refuses their consent)
• The unique ID of the Data Controller (the company that collects the consent records)
• The string of consents actually given/denied
• The timestamp (date/time/minutes/seconds) of the transaction to which the consent records relate

Once stored on the blockchain, the encryption key becomes unchangeable and remains intrinsically representative in a definitive and unalterable way of the originating data: subjects, consents, timestamp. It is therefore an appropriate measure in the event of legal claims from anyone involved in the processing of personal data.

The parties involved and the process of interaction with Lutech’s Privacy-Consent-Server service are illustrated in figure 1. 
 

Below is a detailed illustration of the operational flow of Lutech’s blockchain solution:

1. Collection of Privacy Consent Records 
   The data subject (usually the party purchasing a good/service) provides their consent specifically for each type of processing (agree/deny) through the digital platform of the Controller (who is offering said good/service). 
2. Recording of the Privacy Consent on blockchain
   The Controller’s digital platform makes a call to Lutech’s PCS service, which generates a HASH containing the subjects/consents/time stamps and records it in a new blockchain transaction.
   For maximum transparency towards the Data Subject, the Controller also sends them an email containing everything written on the blockchain, including the encryption key.
3. Verification of Privacy Consent Records by the Data Controller 
   The Controller’s applications and operating processes access the PCS online to check the actual specific authorizations (Consent Records) for the various processing types. 
4. Data processing by authorized third parties
   Any qualified third parties (duly authorized by the Data Controller on the basis of specific consent given by the Data Subject) may make a real-time request to Lutech’s Privacy-Consent-Server for the updated version of the consent records (recorded and updated on the blockchain), so as to access only the data for which the Data Subject has provided consent to the Data Controller.
5. Updating of Consents by the Data Subject and right to be forgotten
   On the basis of the actual contract/transaction in place or signed with the Controller, the Data Subject may at any time amend their privacy consent records, but only for processing purposes which are not mandatory for the continuation of the business/legal relationship with the Controller. 
   The updating of consent records can be carried out independently by the Data Subject (client) by accessing to a function provided by the Controller (company) which, through the integration with Lutech’s Privacy-Consent-Server, writes a blockchain transaction that corrects and de-facto replaces the previous one, updating the consent records according to the wishes of the Data Subject. 
   This meets a specific requirement of the EU GDPR Regulation (Right to be forgotten, Art. 17 GDPR - Right to erasure).
   If the conditions set out in Art. 17 of the GDPR are met, Lutech’s Privacy-Consent-Server allows the client to uniquely and unambiguously express their wish to obtain from the Data Controller the erasure of their personal data, as established by the Regulation itself.
   This action will be certified by writing a new blockchain transaction containing the corresponding encryption key (hash) to guarantee certain date and non-modifiability. 
6. Audits by Supervisory Authorities
   The company provides the Data Subject, and where applicable the Supervisory Body, access to the platform to determine what the effective authorizations are, in other words the version of the privacy consent records in effect at the time to which the claim refers.