7 minute read


The General Data Protection Regulation (GDPR) is a privacy regulation enacted May 2018, effecting anyone processing the data of EU residents.

  • Can Self-Sovereign Identity (SSI) fit within the GDPR?: a Conceptual Data Protection Analysis (Part I) 2022-06-03 Kuleuven Law

    As one can quickly notice, some of the SSI principles are very similar to some provisions and principles in the GDPR. Therefore, I would like first to outline the similarities.

  • Can Self-Sovereign Identity (SSI) fit within the GDPR? : a Conceptual Data Protection Analysis (Part II) 2022-06-03 Kuleuven Law

    The GDPR covers the handling of digital identity data; hence the SSI principles should be consistent with the GDPR rules. However, technical and legal terminology may have diverse meanings due to discipline-specific interpretations as a common issue. In other words, while SSI principles include concepts similar to GDPR articles and principles, a closer examination reveals that they may have different interpretations. The second part focuses on the conceptual differences observed when the principles are contextualized within their specific domain: digital identity management.

  • Why is Self-Sovereign Identity compliant with the [GDPR]? 2022-02-16 Archpelis

    With the transition to the web 3.0 ecosystem, the development of distributed registries (blockchain technology) and the regulatory environment that is forcing digital players to favour privacy by design, the ISS approach will become the new standard, whether for entering into customer relations, managing digital identities or ensuring compliance of administrative processes in companies and institutions.

  • Can a Verifiable Credential-based SSI Implementation meet GDPR Compliance? 2021-05-14 Affinidi

    A common theme among all these provisions is to empower the data subject and put him or her in complete control over personal data including the way it is shared and used.

    Now, it’s time to see if Self-sovereign identity (SSI) addresses each of these provisions.

  • Giving people the privacy protection they need in the coming decade 2020-01-08 Sovrin Paper

    Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de l’Informatique et des Libertés.

  • Blockchain and Identity 2019-05-15

      An identity framework will need to work within such GDPR principles as data minimisation, purpose limitation and storage limitation. It will also have to deal with many of the rights that data subjects have under the GDPR, among them the well-known right to erasure (right to be forgotten), right of access and rights related to the automated processing of data. The GDPR also lays down clear responsibilities for data controllers and processors that will certainly need to be taken into account as well.


      Perhaps the most important regulation dealing with identity in the EU is eIDAS, an EU regulation and a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so is worth a closer look.

  • The impact of the GDPR on Blockchain & SSI 2019-05-15 Silvan Jongerius

    After this introduction, we will explore the particularities of this regulation relating to decentralized technology, blockchain, immutable ledgers and in particular self-sovereign identity solutions. Naturally, there are many challenges, but there are also opportunities, perhaps even to over-comply on the GDPR and setting a new standard for meeting its principles.

  • Blockchain and the GDPR 2018-10-16 EU Blockchain Forum

    as this paper will explain, GDPR compliance is not about the technology, it is about how the technology is used. Just like there is no Gdpr-compliant Internet, or GDPR-compliant artificial intelligence algorithm, there is no such thing as a GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications.

  • Liability under GDPR and the Self Sovereign Identity Model 2018-05-22 Elizabeth M. Renieris SSI Meetup

    One of the myths about GDPR and the right to be forgotten is that blockchain is inherently at odds with the right to be forgotten because of its immutability. But it depends what you’re writing to the ledger, and there are a lot of solutions we’ve seen that make both inherently compatible, because they’re not exactly that, they’re not putting credentials on the ledger. It depends on the chain, it depends on whether you consider forking and other technical measures to actually introduce changes to the record so to speak.

  • GDPR - A reflection on the ‘self-sovereign identity’ and the Blockchain 2018-02-11 Nicolas Ameye

    The GDPR is taking for granted a centralized identity model, meaning a centralized model of digital data storage and transmission. Those centralized models of digital data storage are relying on the principles that the data custodians are trustworthy and are mandated to steward personal data. The GDPR, while being technology-neutral by nature, is articulated around the idea that personal data are being stewarded by centralized authorities.

  • When GDPR Becomes Real, and Blockchain is no longer fairydust by Marta Piekarska (Linux Foundation), Michael Lodder (Evernym), Zachary Larson (Economic Space Agency), Kaliya Young (Identity Woman)

    Following the implementation date of May 25, 2018, managing data will be both toxic and expensive. Many precious resources will be required for improving and maintaining the security, privacy, and governance of personal data. Methods for storing less personal data will ease the burden of GDPR compliance. This document describes the GDPR requirements and the different approaches to digital identity solutions and finally explains why distributed ledger technology may offer an opportunity for enterprises to simplify data management solutions that are GDPR compliant.

Privacy by Design

Privacy by Design means that privacy should be considered from the very beginning, when designing a product. Article 25 of the GDPR requires “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing.”

  • Privacy by Design The 7 Foundational Principles 2011-02-11
    1. Proactive not Reactive; Preventative not Remedial
    2. Privacy as the Default Setting
    3. Privacy Embedded into Design
    4. Full Functionality — Positive-Sum, not Zero-Sum
    5. End-to-End Security — Full Lifecycle Protection
    6. Visibility and Transparency — Keep it Open
    7. Respect for User Privacy — Keep it User-Centric
  • Self-Sovereign Privacy By Design 2019-10-04

    This repo captures early models of what has now evolved into DID Communication – conventions for secure, private interaction between parties based on DIDs. All content here is archival; for the freshest thinking, please check out the Hyperledger Aries RFCs

  • GDPR and Privacy by Design, What developers need to know 2018-01-24

    In short, Article 25 of the GDPR requires; “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing”. Building compliant systems means that new functionality needs to be added, to deliver data pseudonymisation, encryption and other privacy enhancing measures.

Privacy Impact Assesment

Article 35 describes “a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies” called a Privacy Impact Assessment (PIA),

  • ISO/IEC 29134:2017 - Guidelines for privacy impact assessment
  • Open Source PIA Software 2021-06-30 cnil.fr

    The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English. It facilitates carrying out a data protection impact assessment, which will become mandatory for some processing operations as of 25 May 2018. This tool also intends to ease the use of the PIA guides published by the CNIL.

  • Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01) 2017-10-13

    A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance.