Analysis The General Data Protection Regulation (GDPR), a broad and strict European Union (EU) legal framework regarding the confidentiality of personal data, came into force on 25 May. Ready or not, this framework will drastically transform the business of any digital enterprise. The International Association of Privacy Professionals (IAPP) predicts that at least 75,000 dedicated privacy jobs will be created and that Fortune Global 500 companies will spend nearly $8 billion to ensure they are GDPR compliant. But what does this mean for blockchains... The objectives of the GDPR are: to create a uniform data management framework within the Union and to strengthen the control that can be exercised over the storage and use of your personal data. It was adopted in 2016 and, after a two-year transition period, has finally entered into force. Rights and obligations The GDPR introduces new procedural and organizational obligations for "data processors", a category that includes both companies and public bodies, and gives greater rights to "data subjects", i.e. individual users. Public and private organizations tend to accumulate data even before they know how they will use it, creating a sort of "gold rush" where the goal is that of users' personal data. The GDPR goes against this habit, specifying that data processors must not collect data other than those strictly necessary for their immediate interaction with consumers. In fact, the collection of data should be "adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed" (art. 39 GDPR). In addition to determining what is allowed or not, the GDPR also specifies the organizational guidelines that data processors will have to adopt from now on. For example, their technology architecture will have to erase consumer data after using it ("privacy by design"). In addition, any entity considered as a "data nexus" will have to equip itself with the new figure of the Data Protection Officer (DPO) who will take care of ensuring compliance with the GDPR. The DPO will have the legal obligation to alert the supervisory authority whenever there is a risk to the privacy of the interested parties (art. 33). The interested parties, on the other hand, will know how their personal data are stored and processed (art. 15). For example, they will have the right to request a copy of the information held by the company. In addition, data controllers must communicate to data subjects all details about the process of acquiring and processing and/or sharing their data. In addition to total transparency, the GDPR gives citizens more control over how their information is used. Article 17 lists the conditions under which citizens can request the deletion of their data from company databases, or the so-called "right to be forgotten". As Sarah Gordon and Aliya Ram pointed out in an article in the Financial Times, "ultimately, the impact of the GDPR will depend on whether or not citizens decide whether or not to exercise the powers conferred on them by the new rules." When was the last time you declined your consent to Facebook's privacy policy? Phenomenon of global proportions The GDPR imposes extremely high penalties on companies that do not comply with it. Moreover, its scope goes far beyond the EU. For companies, a visit by the "data auditor" could become even more fearsome than that of the tax inspector. An intentional or repeated violation of the principles set by the GDPR will lead to a fine of up to 20 million euros, or up to 4 percent of the world's annual turnover, whichever is greater than the two. Instead of © relying solely on RDPs, the authorities will carry out regular checks. Although on paper, the GDPR protects data only within the EU, its scope, in fact, global. First, data controllers located outside the EU who handle the personal information of EU residents will have to comply with the new regulation. Secondly, the EU has linked data flows to trade flows: any country wishing to sign a trade agreement with the EU will have to comply with the GDPR. Over the past decade, the United States has become somewhat the "economic police of the world," imposing huge penalties on banking institutions for failing to comply with its anti-money laundering regulations. With the GDPR, will the EU become the world champion of data protection?