4 minute read

The General Data Protection Regulation (GDPR) is a privacy regulation enacted May 2018, effecting anyone processing the data of EU residents.

EU Blockchain Observatory and Forum Report

Section 19: Decentralised identity and the European regulatory landscape


    An identity framework will need to work within such GDPR principles as data minimisation, purpose limitation and storage limitation. It will also have to deal with many of the rights that data subjects have under the GDPR, among them the well-known right to erasure (right to be forgotten), right of access and rights related to the automated processing of data. The GDPR also lays down clear responsibilities for data controllers and processors that will certainly need to be taken into account as well.


    Perhaps the most important regulation dealing with identity in the EU is eIDAS, an EU regulation and a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so is worth a closer look.

Privacy by Design

Privacy by Design means that privacy should be considered from the very beginning, when designing a product. Article 25 of the GDPR requires “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing.”

Privacy Impact Assesment

Article 35 describes “a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies” called a Privacy Impact Assessment (PIA),


  • GDPR Checklist for Websites & Mobile Applications
  • GDPR Checklist
  • GDPR Expert - information on each article, for different countries in the EU.
    • the corresponding provision in the (former) Directive;
    • the corresponding provision in the country you have selected;
    • an analysis of the “Existing position”;
    • an analysis of the “Future position”;
    • an analysis of “Potential issues”;
    • the first and second proposals of EU Regulation;
    • the relevant recital(s).


Sovrin Foundation

Digital Identity Management in the Context of GDPR & Sovrin

Sovrin Foundation announces 30-day public review for data protection regulation revisions to the Sovrin Governance Framework

The Sovrin Governance Framework Working Group (SGFWG) and Global Policy Working Group (GPWG) together with Sovrin Stewards and Sovrin Foundation counsel began the process of determining what further changes would be needed to enable compliance with data protection regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Province of British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA).

Giving people the privacy protection they need in the coming decade

Sovrin Foundation makes the case that self-sovereign identity is the most flexible system for handling data privacy as regulations are adopted in different jurisdictions and evolve to meet changing local needs over the next decade. The paper examines how GDPR applies to participants in a blockchain network and addresses recent guidance from EU regulators and the Commission Nationale de l’Informatique et des Libertés.