A Decentralized Personal Data Store Based On Ethereum: Towards Gdpr Compliance

Personal data sharing with service providers represents an unavoidable risk, due to issues like: improper data treatment, lack of users' awareness to whom they are sharing with, wrong or excessive data sharing from end users who ignore that they are exposing personal information. But sharing personal information, in the IoT era forces us to consider not only personal data, but also personal devices sharing. It becomes fundamental to consider users' awareness and centrality in the act of sharing, and resilience towards malicious third parties, which are problems that blockchain technologies are fit to solve. In order to make decentralized solutions usable for real, there is another challenge, the not simple compliance with the General Data Protection Regulation (GDPR), the European Authority has provided, in order to implement protection of sensitive data in each EU member. Such regulation protects sensible data throughout certification mechanisms (according to Art. 42 GDPR), which is a mandatory requirement for any service which may come in contact with sensitive data. The current paper offers a contribution, showing that the decentralized approach for personal data sharing, may be compliant not only with the requirement of users' centrality but also with GDPR, representing a novelty for IoT-ready personal data sharing management systems based on a distributed environment. This is possible by embedding the consent mechanism described by GDPR, within a real decentralized prototype developed to share personal data and devices. We present our approach and an architectural blueprint which evolves the prototype.