Could you elaborate on how Enigma would handle being GDPR compatible in practice?


by zenicoin

Could you elaborate on how Enigma would handle being GDPR compatible in practice? Specifically for users exercising the “right to be forgotten” by requesting all of their data be deleted? Thanks


Guy Zyskind: „GDPR requires all companies that collect or process data of individuals who live in the EU (where processing of data happens doesn’t matter) to comply with a set of rules. But let’s first look at an example.

Let’s say a Telco company collects customer movement data and stores it on cloud. The telco company at a future day sells it to a consultant that is hired by a transportation company, which would like to determine where to build train stations based on people’s movement. In this example the Telco, the cloud provider and the consulting company (and potentially the transportation company) is subject to GDPR.

On a high level, these rules are: i) customers should give consent to data collection, ii) customers have some rights (right to access and transfer their data, right to be forgotten, right to be notified in terms of a breach) and iii) privacy by design, which revolves around anonymization of data and right encryption methods.

Last year around May, we discussed these rules with numerous European conglomerates. Enigma can address primarily iii) privacy by design (this is our focus) and also i) and ii) which are around access control. When there’s data sharing, organizations must take all necessary precautions to make sure that data is optimally secured. This is where Enigma can play an instrumental role.

If the cloud provider uses the Enigma protocol to secure its database while doing computations, or if the consulting firm is given access to compute on Telco’s data using Enigma without accessing the raw data itself, the privacy by design rule of GDPR is achieved. One problem is that the privacy by design is judged on a “best-effort” case and there are not clear guidelines as to what suffices yet."