Is Integrity GDPR compliant?

Yes: Integrity offers privacy-by-design. Users’ data are stored on a local device (i.e. the smartphone) and each claim/attribute is shared only when needed, if consent is given.

Moreover, Integrity makes data portability a feature by default and businesses use this platform as a basis to build GDPR compliant services.

However, it should be noted that once an information leaves Integrity with users’ consent, the data could still potentially be mishandled by a non-GDPR-compliant third-party.

Let’s see into details how Integrity complies with GDPR’s six principles:

1. Lawfulness, fairness and transparency

  • Transparency: with Integrity, users are told how their data will be processed during the mandatory consent flow.

  • Fairness: by default, Integrity offers full transparency to its users: they can track who has access to what piece of data and verify that it is relevant.

  • Lawful: Integrity’s receipts ensure accountability and the possibility to prove that the data processing complies with GDPR (see articles 5 & 6)

2. Purpose limitations

On Integrity, users must give consent for any information to be shared. The interface forces the requestor to make the subjects aware of how their data will be used. Access to personal data without a “specified, explicit and legitimate purposes”[article 5, clause 1(b)] is therefore impossible.

3. Data minimisation

One of the key features of Integrity is its data granularity: users can share specific attributes under special conditions, e.g. for a certain timeframe or number of accesses. Again, this feature complies to the GDPR regulation which states that the data collected should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.[article 5, clause 1©].

A good illustration of that is how Integrity offers zero knowledge proofs schemes when the use case needs it. For example, users may prove their majority without revealing any age detail.

4. Accuracy

With its self-sovereign approach, Integrity ensures that the data is always “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Users actually manage their own data and they are able to edit it whenever necessary. This situation is to be compared with the cases where the data subjects are not even aware of what information is stored about them. Integrity also offers the possibility for the users to revoke any document that would have become compromised or inaccurate.

5. Storage limitations

Integrity complies with storage limitations in two ways:

a) Users may revoke access to a their data at anytime, when it is no longer necessary to share it. b) Data attributes can be shared for a limited timeframe.

These features ensure that personal data is “kept in a form which permits identification of data subjects for no longer than necessary”. [article 5, clause 1(e)]

6. Integrity and confidentiality

We are not called Integrity for nothing: our platform is a tool to manage data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. [article 5, clause 1(f)]​

Concretely, users store their information locally on a device secured by a PIN code or biometric data. This distributed architecture protects the subjects from the threat of central data silos which are natural honeypots for hackers, who can break in and steal millions of records from one system, in a single attack. Meanwhile, hacking Integrity would require getting access to every users’ devices.

Was Integrity specifically designed for GDPR compliance?

No: Integrity is based on the Brickchain identity protocol which aims to solve recurrent privacy and security problematics by offering an efficient trust architecture. However, its originary purpose makes it GDPR friendly by default.

How decentralized is the Integrity platform?

Avoiding central data repositories is the most important feature for decentralization. Integrity achieves this by implementing a self-sovereign identity approach where all personal information is stored and controlled from the user’s smartphone, within the mobile app.

However, being self-sovereign does not mean that the subject is a permanent standalone entity, which would remain isolated in a separate environment. By definition, identity is a relational concept and it needs interactions between different entities to exist. Therefore, even if the system is decentralized, network participants may have different statuses and trust levels.

Integrity takes this basic truth into account by empowering trusted entities to share certified claims (i.e. Facts) through digitally signed documents.

Moreover, it should be noted that Integrity’s chains of trust removes the need for a single central authority: the Brickchain protocol liberalizes the root certificate market, by unlocking competition. Its technology lowers risks and entry costs, as the protocol participants have no central data silo to setup, manage and protect. Any organization can use its current position and know-how to rapidly start being an actor of the identity supply chain.