GDPR Article 25: How We Designed Privacy In, Not Bolted On

GDPR Article 25 — Privacy by Design and by Default — is widely acknowledged and rarely implemented seriously. Most compliance teams interpret it as a checklist: add a privacy policy, implement a consent banner, appoint a DPO. The underlying architecture remains unchanged.

Solidus was designed differently. Every architectural decision maps to a specific GDPR obligation. Here is the mapping.

Article 5 (Data minimisation): We do not store PII on-chain. The on-chain record of a verification is a BLAKE3 hash of the document and an Ed25519 signature over the extracted claims. Raw document data is purged from our servers after 30 days. BBS+ selective disclosure is live on testnet (audit pending) — once a credential is issued in BBS+ form, a verifier checking it will learn only what they requested, not what the credential contains.

Article 6 (Lawful basis): User consent is captured at credential issuance and encoded in the credential metadata. The consent record is itself signed — it cannot be altered after the fact without invalidating the signature.

Article 17 (Right to erasure): A user can deactivate their DID, which removes the chain anchor and invalidates all issued credentials. Verifiers receive a webhook notification when a credential is revoked. We cannot un-hash historical on-chain data, but the system is designed so the on-chain record contains no PII to begin with — only opaque commitments. Deactivating the DID makes the off-chain data the system holds about the user no longer linkable to a usable identity, which addresses the spirit of Article 17 within the constraints of an append-only ledger.

Article 20 (Data portability): Credentials are user-owned JWTs. The user can export their wallet and move to any compatible system. No export request to Solidus required.

Article 25 (Privacy by design): The architecture is designed so that selective-disclosure proofs are the default presentation mechanism. Today, credentials are presented in full with Ed25519 verification. BBS+ selective disclosure is live on testnet (audit pending) — verifiers can already request specific claims and receive cryptographic proofs that reveal only those claims. Predicate proofs (e.g., age ≥ 18 without DOB) require an additional ZK-SNARK layer and remain on the roadmap.

Article 32 (Security of processing): Ed25519 for signatures, AES-256-GCM for encrypted storage, PBKDF2 for key derivation. Standard, audited, uncontroversial.

The point is not that Solidus is GDPR-compliant. Compliance is table stakes. The point is that the architecture makes non-compliance structurally difficult. A developer using the SDK cannot accidentally log PII to the chain — there is no API that accepts it.