SSI as a tool of GDPR compliance
Personal data represent today one of the most valued goods on the market. Consequently, those who holds the personal data can exercise a considerable amount of power toward those who the data belong, in the other words, the individual to whom these data refer.
In the digital age, identity management has been affected by an important process of evolution and revolution, moving from a centralized approach to an increasingly decentralized concept of identity.
For years, the notion of identity required the presence of an organization that was involved in the management of such personal data, placing the user in a subordinate position.
This point of view has been completely reversed with the advent of a new approach in the identity management, driven by the notion of Self-Sovereign Identity. The person, the holder of the data, achieves full control over the identity, deciding whether and which certified attributes to make available to third parties.
As a result, the benefit is twofold: there is a gain in data security and data flexibility, allowing the user to share only the necessary data (the minimum amount) for the specific purpose and without intermediaries.
SSI & GDPR: perspectives in comparison
The user-centric approach of Self-sovereign Identity is fully in line with the one promoted by General Data Protection Regulation (GDPR), also focused on the concepts of individual sovereignty and personal data security. Self-Sovereign Identity and GDPR are also aligned on the concepts of flexibility and free movement of data. SSI ensures and develops the free movement of certified attributes between individuals and entities, within a trusted environment. Similarly, GDPR insists on the free movement of personal data within the UE.
The similarities between the two perspectives become even more evident if we focus on the ten principles of Self-Sovereign Identity, outlined in 2016 by Christopher Allen.
- EXISTENCE: each digital identity always implies a real individual existence. The attributes that a person decides to share exist in advance of and independently from the digital notion. In line with the approach of GDPR, identity is considered an inherently human concept, and the personal data are and remain owned by individuals.
- CONTROL: the primary intent of Self-Sovereign Identity is to get the control of identity attributes back to individuals. In the same way, GDPR gives individuals the right to express their willpower regarding data processing, granting or denying the consent to the processing of information (art. 7-16-18 of the GDPR).
- ACCESS: Self-Sovereign Identity and GDPR (art. 15) agree that users should have the right to access their information, easily managing their identity attributes. In order to avoid an incorrect use of personal data, through Self-Sovereign Identity users have the possibility to access their personal information without intermediaries.
- TRASPARENCY: algorithms and systems at the basis of identity networks must be open, transparent and freely available. Similarly, GDPR states that personal data processing must be licit, intelligible and transparent. Moreover, data subject needs to be aware of purposes and methods of processing, through the Information Notice (art. 12-13-14 of the GDPR). Transparency becomes really central for digital identity protection, and crucial in order to prevent unlawful processing of personal data.
- PERSISTENCE: digital identity should follow the individual during the entire existence, or at least as long as the user wants. As stated by Christopher Allen, this concept must not be considered in contrast with the “right to be forgotten” enshrined in the GDPR (art. 17). The user can dispose the information at any time, requesting changes or cancellation. Therefore, two different concepts are arising: identity is persistent, instead attributes (referred to that identity) can be modified or revoked. The focus here is that the decision is up to the user, first owner of the data.
- PORTABILITY: digital identity should be portable, so that user can maintain at any time the control over his or her information. If a third-party organization could centralize identity control, this would constitute a threat to the concept of persistence that must be guaranteed to identities, representing a dangerous Single Point of Failure. Portability assures that identity can be transferred and stored into several applications, at user’s discretion. GDPR focuses on the same concept: personal data can move freely within the territory of the European Union, while remaining under users’ control (art.1 of the GDPR).
- INTEROPERABILITY: this characteristic of Self-Sovereign Identity, closely related to the concepts of persistence and portability, reinforces the fact that identity should be considered as much as possible on a large-scale. Through the interoperability of management mechanisms, the identity can follow the user wherever decides to move, beyond geographical boundaries. Albeit related only to UE territories, GDPR states the same principle with regard to personal data processing (art. 1 of the GDPR). Ensuring and protecting free movement of data is the way toward the strengthening of subjects’ rights.
- CONSENT: GDPR (art. 4 and art. 7) and Self-Sovereign Identity converge on the idea that the user must give the consent to data processing. This aspect enhances the concepts of autonomy and centrality of individuals, assuring they know where, for what purpose and to what extent their data is processed. Consent is therefore an essential element for identity protection, granting users maintain a desirable level of privacy.
- MINIMIZATION: the disclosure of identity-related information must be kept on the minimum amount necessary to the specific purpose in place. Once again, Self-Sovereign Identity and GDPR move in the same direction. GDPR (art. 5 and art. 25) states that the data collected must be appropriate and relevant to the task. The collection of personal data must be limited to what is necessary to the purpose to which data is processed.
- PROTECTION: user’s rights must be protected at any time. In case of conflict between the needs of an identity network and the needs of a user, user’s rights have the priority, because the individual has the control over the data. Self-Sovereign Identity preserves identity owners’ rights, as well as GDPR protects data subjects (art. 1 of the GDPR).
In this perspective of similarities and synergies, it is evident that Self-Sovereign Identity can represent an innovative and effective tool which is able to promote the spirit and the purposes of General Data Protection Regulation.
Please download here the pdf version of the infographic: DOWNLOAD
SSI: capabilities and future scenarios of a growing market
According to several important consulting firms, Self-Sovereign Identity is a tool capable of recomposing the existing tensions between blockchain technology and GDPR, by demonstrating how a thoughtful use of this technology may even results in an increase of compliance.
However, it is essential to follow several best-practices of the sector, first of all the adoption of systems able to forbid or prevent the storage of personal data on-chain, besides the conduction of a prior impact analysis case-by-case.
A recent report carried out by Juniper Research estimates that the market of Self-Sovereign Identity can count from 2024 a global turnover of 1,1 billion dollars. Therefore, a significant acceleration is estimated in a relatively short time: the figure estimated for the end of 2020 for the same market is 100 million dollars, envisaging a growth of +1000% in just four years.
At the basis of this exponential growth is outlined the increasing importance of safeguarding protection and security of digital identities.
All of this proves that security and privacy are no more linked by a trade-off, which involves a necessary decrease on one concept in return for gains on the other.
Through Self-Sovereign Identity it is possible to gain a simultaneous increase on both aspects, protecting the user from the beginning, who is and remains the owner of his or her identity and the attributes connected to it.