This is a guest post by Bob Keith, chronic crypto nut and freelance writer/editor

Hi there. Thanks for checking out this article written by our friends over at Make sure you drop by and see them after you’ve read what they have to say about how GDPR legislation might or might not affect ICOs.


The new GDPR legislation set to roll out in May 2018 is keeping business owners worldwide collectively puzzled. It is European legislation, but it concerns European businesses as well as worldwide digital companies that gather the personal data of European residents.


Blockchain industry is the epitome of digital business these days, and crypto outfits are notorious for their creative inventions when it comes to payments, data storage, and funding collection. There has been a lot of emotion around GDPR in the crypto community, and some have even called it the end of immutable data storage.


So far, a good part of the blockchain space is still not regulated at all, though. Let’s look into how that might change for the most controversial blockchain businesses – projects that collect their funding via ICOs.


Believe it or not, GDPR makes sense


No matter how deeply you might despise regulations, the idea behind GDPR is not completely out there. GDPR was developed as a reaction to the fact that personal data collected by digital businesses have become a goldmine. What we see here is the classic setup where law trails the reality – there has been a time gap without any regulation in this space. Consequently, for businesses that collect a lot of detailed data about people, it became an established path to profit to start commercially using information that the user would hope stays private.

The primary aim is the user’s control over privacy


The way GDPR reacts to this new way of doing digital business is fortunately rather liberal. The main goal of the regulation is not to repress digital business – it is to protect the individual rights of the customer. There are whole industries that depend on some degree of personalization, and for most of us, it is not necessarily a bad thing to see ads and recommendations tailored to our preferences. That is also how GDPR sees it – as far as the new law is concerned, there is only a problem if the customer (data subject) has no control over what data is collected by the company and how it is handled.


A case in point: As you probably know, it is a common practice not to erase customer data, ever. Typically, a click on the DELETE button in an app only flags that piece of data as removed and inaccessible from the outside, but the company still keeps the actual information in their databases. Thanks to GDPR, the company will now have to erase your data completely if you request it. In addition to that, companies are now required to keep good privacy standards, to unlink individual identity from the data whenever possible, and to stick to technology frameworks that can be easily audited.


GDPR and blockchain


When it comes to privacy, public blockchains do not conflict with the spirit of GDPR. A decentralized application that runs on a public blockchain is publicly auditable, and it is often not necessary to provide any data that would personally identify the user.


One often mentioned drawback is the immutability of blockchains. While blocks cannot be edited once they are mined, clever app architectures that keep their data pseudonymous and store only the bare minimum information on-chain should not have any issues with GDPR.


The solution via pseudonymity applies for payment collection through blockchain as well. Payments are, by nature, pseudonymous and not linked to a particular user. The link between an individual and a blockchain entry is made by the user – think signing up with an email to send an ETH payment into an ICO contract.


This bit of data is usually stored in a plain old database managed by the organization. While the transaction will stay on the blockchain forever, the link between the user and the transaction can easily be removed. Once the data cannot be traced back to a natural person, according to the law, it is not personal data.


Collection of funding via ICOs in Europe is not specifically targeted by GDPR. It is not a financial regulation, it is a data processing one, but it influences the operations of companies that get funded via ICOs just as it influences any other digital business.


At first, GDPR will probably bring a lot of work to lawyers and legal advisors, but for legitimate businesses, the situation is not dire at all. From May, stricter consent rules will be imposed on marketing in Europe, but according to that does not mean companies need to annoy users with consents for absolutely every marketing move. As long as a company can, on request, provide an assessment that justifies why it was vital for the business to collect that particular personal data, all is well.


This kind of leeway is quite typical to GDPR. The reason is that GDPR concerns the back-office of all companies across all industries worldwide that do business in Europe. The differences from one company to another are huge – it is simply not possible to have unified, clear guidelines as to what exactly business owners should do. The legislation requires an individual approach. There are some required practices based on the scale of the company’s operation, but most blockchain enterprises are so niched it will not apply to them anyway.


The main implication for smaller businesses based in Europe or collecting information about people from Europe is to have a solid organizational structure for data acquisition, storage, and processing. Companies that have good security practices, that mind the privacy of their users, and that keep good records about how they handle user data are already ahead, whether they work with the blockchain or not. One can document data handling in a smart contract just as in any traditional software.


No matter how you look at it, the result should be the elimination of businesses that are lackluster in their security and operations. That, from the point of view of a customer, is not a bad result at all.