On 27 Apr. 2016, the European Union passed The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The regulation is extra-territorial and extends the scope of the EU data protection law to all foreign companies processing data of EU residents.
The regulations go in to effect on 25 May 2018 and require organizations that collect, process, or control (the “Data Controllers”) personal data from EU residents (the ‘Data Subjects”) to comply with the regulations. The scope of the of regulations is quite wide. For example, according to the European Commission “personal data” is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address.
The GDPR specifically requires Data Controllers to: (i) implement effective measures to comply with the regulations and, (ii) be able to demonstrate evidence of the compliance of processing activities. The regulations place a very significant and expensive burden on Data Controllers. Data Controllers are required to:
BREACH NOTIFICATION—Notify Data Subjects within 72 hours of first having become aware of the breach.
OBTAIN VALID CONSENT—Valid consent must be explicit for data collected and the purposes data is used. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
RIGHT TO ACCESS—Provide Data Subjects with confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
RIGHT TO BE FORGOTTEN—Allow the Data Subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
DATA PORTABILITY—Provide the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
The GDPR places significant financial burden and liability on Data Controllers. Independent research suggests that companies will spend an average of $1.4 million on systems and training to comply with the GDPR. Fundamental limitations in current data processing technology are the primary an obstacle to GDPR compliance. Many organizations simply don't have the appropriate technology to manage data effectively. The penalties for breach of GDPR are very severe. Data Controllers found in breach can be fined up to 4% of annual global turnover or €20. Million (whichever is greater). Companies, such as retailers and hotels that collect large amounts of consumer data are particularly exposed to GDPR compliance costs and liabilities.
What is now desired is a computer system architecture that ensures automatic seamless compliance with GDPR data regulations. Ideally, such a computer system architecture would permit the data subjects themselves to access the data being stored about them, yet also permit merchants, financial, medical and academic professionals (and others) to only access pseudonymized data about the data subjects (thereby maintaining the data subjects' privacy and anonymity). Ideally as well, such a computer system architecture would seamlessly and automatically generate an auditably verified record in a timely fashion that the data stored therein complies with data processing regulations such as GDPR. As will be shown below, the present computer architecture provides such a system.