Provectus will bring an automated General Data Protection Regulation (GDPR) compliance solution to market this month. The solution focuses on data related aspects of the regulation, particularly interactions between individuals and organisations, and is based on distributed key management and blockchain based audit.
The solution is designed for start-ups and small to medium sized businesses that need to comply with GDPR, but don’t have resources for consultants and legal, or expertise in building robust compliance processes and policies. Customers do need to be relatively tech-savvy as the solution is provided as a suite of application programming interfaces (APIs) and requires some technical acumen to be integrated, although help can be provided by Squadex, Provectus’s parent and a technology consultancy and software engineering specialist.
Dima Kanevsky, product manager of Provectus, says: “Large companies are spending millions of dollars on GDPR compliance, but smaller companies can’t do that, so we have built an automated solution that is more efficient than manual processes, allows individuals to exert their rights under GDPR, logs data for audit purposes and doesn’t require expensive human input.”
The GDPR solution’s technology is tried and tested, and already in use in the US ensuring the privacy of sensitive financial data required for corporate tax purposes. GDPR compliance is limited to data interactions between individuals and organisations, which must fulfil their own Data Protection Impact Assessments (DPIA) and decide whether they need to appoint a Data Protection Officer in line with the regulation’s requirements.
Organisations and individuals interact through APIs, with individuals using devices such as mobile phones or a web application, and a key provided by the organisation to turn on or off consent to access their personal data. The key management solution encrypts data on a record-by-record basis and records of processing activities are kept on a cloud-based blockchain that keeps a log of users’ decisions on their data in an immutable way. Data from the blockchain can be extracted by users or authorities automatically, while the data encryption element of the key management system means any breaches of personal data lead only to anonymised data.
Yuri Vizitei, chief technology officer of Provectus, explains: “The core of the solution is distributed key management that allows individuals to control what personal data they provide to an organisation and access the information. The blockchain model is fit for purpose here as it provides an audit log rather than data storage that is subject to change.”
Provectus plans to price its GDPR solution on bands of numbers of active data users and says it has customers in the pipeline that will be up and running in time for GDPR compliance on May 25, 2018.