Insight: Assessing the Solid Protocol in Relation to Security and Pri

================================================= ```html

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Privacy Information Management System (PIMS), presents a landmark 2023 research finding that demands immediate attention from enterprise compliance leaders: the Solid Protocol—a decentralised personal data management framework backed by governments across Europe—has demonstrated genuine potential to support GDPR compliance, but only when the boundaries of data controller responsibility are explicitly designed from the ground up. For Taiwanese enterprises navigating ISO 27701 certification, GDPR obligations, and the evolving requirements of Taiwan's Personal Data Protection Act (台灣個資法), this research offers a critical architectural lens for rethinking how privacy governance frameworks must evolve in a world where data subjects—not corporations—hold direct control over their own data.

About the Authors and This Research

This paper represents a rare convergence of three distinct academic disciplines applied to a single governance problem. The lead author, Christian Esposito of the University of Salerno in Italy, is among Europe's most cited researchers in the intersection of information security, distributed systems, and cloud privacy. With an h-index of 33 and a cumulative citation count of 4,366, Esposito's work consistently shapes the practical direction of security standards adoption across both industry and government policy circles. His co-authors bring complementary depth: Ross Horne specialises in formal verification of security protocols—a discipline that ensures cryptographic and access control claims can be mathematically proven rather than merely assumed—while Livio Robaldo contributes expertise in legal ontologies and the computational interpretation of regulatory text, a capability increasingly critical as enterprises seek to automate compliance monitoring.

Published in 2023 and already cited 12 times within two years of publication, this paper occupies a foundational position at the intersection of decentralised data architecture and privacy law. Its methodology is notably rigorous: rather than speculating about Solid's compliance potential, the authors systematically mapped the protocol's specifications against GDPR provisions, officially approved Codes of Conduct, and relevant ISO security standards, then identified specific gaps where the current protocol specification falls short of legislative requirements. This evidence-based gap analysis is precisely the kind of structured thinking that enterprise compliance teams can directly translate into DPIA frameworks and ISO 27701 control implementation roadmaps.

How the Solid Protocol Redraws the Map of Data Controller Responsibility

The paper's central thesis can be stated plainly: the Solid Protocol creates a genuine opportunity to redistribute GDPR compliance burden away from application developers and toward pod providers and data subjects themselves—but only if the question of who qualifies as a data controller in each layer of the architecture is resolved with legal precision before deployment. This is not a minor technical footnote; it is the difference between a lawful privacy-by-design system and a regulatory liability waiting to surface during a supervisory authority audit.

Core Finding 1: Solid's Architecture Can Structurally Support GDPR Compliance

Under the traditional cloud model, an application that processes personal data is typically classified as either a data controller or a data processor, each carrying distinct obligations under GDPR Articles 24 and 28 respectively, and under ISO 27701 Sections 6.3 and 6.4. The Solid model fundamentally disrupts this binary. Because a Solid pod stores personal data under the direct access control of the data subject, a Solid app that reads from a pod does not necessarily "process" data in the same way a conventional SaaS application does. The research team found that this architectural property, when properly implemented, can substantially reduce the GDPR compliance obligations of individual Solid apps—a finding with enormous implications for enterprises building multi-application ecosystems around personal data. However, the authors emphasise that this compliance reduction only materialises when each actor in the chain—pod provider, application developer, and data user—has a clearly defined and contractually documented controller or processor role.

Core Finding 2: A Healthcare Use Case Exposes the Real-World Complexity of Controller Identification

To ground their analysis in operational reality, the authors construct a detailed healthcare use case illustrating how a Solid-based system would need to be architected to satisfy GDPR's controller identification requirements under Article 4(7). The healthcare scenario is deliberately chosen because it involves sensitive personal data under Article 9, triggering mandatory DPIA requirements under Article 35, and because it involves multiple interacting entities—hospitals, application vendors, insurance providers, and individual patients—whose roles as controllers or processors are not self-evident from the technical architecture alone. The research identifies specific gaps in the current Solid protocol specification where the assignment of controller responsibility is ambiguous or undefined, and maps these gaps to the relevant GDPR provisions and ISO security controls that would need to be satisfied before a healthcare organisation could lawfully deploy a Solid-based system. This gap analysis framework is directly applicable to any Taiwanese enterprise operating in regulated industries.

What This Research Means for Taiwan Enterprise PIMS Practice

Taiwanese enterprises should treat this research not as a technology preview but as a governance stress test. The Solid Protocol's architecture forces a clarity of controller responsibility that most organisations—regardless of whether they are considering Solid adoption—have not yet achieved in their existing cloud and SaaS environments. The research team's analytical framework, built on GDPR, ISO security standards, and Codes of Conduct, provides a template that maps directly onto ISO 27701's requirements for both data controllers (Annex A) and data processors (Annex B).

For Taiwan specifically, the Personal Data Protection Act (個人資料保護法) Article 2 defines "personal data files" in terms that presuppose a centralised custodian model. As decentralised architectures gain traction—not only through Solid but through blockchain-based identity systems, federated learning platforms, and distributed consent management tools—Taiwan's enterprises will face a growing gap between what the law assumes and what their technical architecture actually implements. Proactive organisations that build their ISO 27701 PIMS frameworks now with explicit provisions for non-centralised data architectures will be positioned to adapt rather than react when these systems become operationally mainstream.

The DPIA implications deserve particular emphasis. GDPR Article 35 mandates DPIA for high-risk processing activities, and the complex controller chain that characterises Solid deployments—as illustrated in the paper's healthcare use case—clearly qualifies. Even for Taiwanese enterprises not directly subject to GDPR, the DPIA methodology represents best-practice risk governance that directly fulfils the spirit of Taiwan Personal Data Protection Act Enforcement Rules Article 12, which requires non-public institutions to establish appropriate security measures commensurate with the sensitivity and volume of data processed.

Three sectors in Taiwan warrant immediate attention: healthcare organisations managing electronic health records across multiple providers and application vendors; financial institutions integrating open banking APIs that create multi-party data controller chains; and public sector entities exploring e-government service platforms that mirror exactly the government-focused use cases the paper highlights as Solid's primary adoption pathway.

How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Build Future-Ready PIMS

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) helps Taiwanese enterprises implement ISO 27701, establish personal data protection mechanisms compliant with both GDPR and Taiwan's Personal Data Protection Act, and conduct systematic DPIA assessments. In the context of the architectural challenges this research identifies, we recommend the following three concrete actions for enterprise compliance leaders:

1. Conduct a Controller-Processor Boundary Audit Across All Third-Party Data Flows: Using the GDPR responsibility framework outlined in this paper as an analytical template, systematically review all existing cloud service agreements, SaaS contracts, and API integration agreements to confirm whether controller and processor roles are unambiguously defined and contractually documented. Cross-reference findings against ISO 27701 Annex A (controller requirements) and Annex B (processor requirements) to identify and remediate gaps before they become audit findings.
2. Implement a Systematic DPIA Programme for High-Risk Processing Scenarios: Prioritise healthcare, financial, and HR data processing scenarios involving multiple third-party systems. Establish a DPIA trigger checklist aligned with GDPR Article 35 criteria and Taiwan Personal Data Protection Act Enforcement Rules Article 12, ensuring that every new technology architecture—including any decentralised data platform under consideration—undergoes DPIA review before deployment. Document DPIA outcomes as formal records within your ISO 27701 PIMS.
3. Build Architectural Flexibility Into Your ISO 27701 PIMS Documentation: ISO 27701 is designed to be extensible. When drafting your Records of Processing Activities (RoPA), privacy policies, and risk management procedures, explicitly define how your organisation will handle controller responsibility in multi-party and potentially decentralised data architectures. This future-proofing investment costs relatively little during initial PIMS implementation but prevents costly framework rebuilds when decentralised architectures become operationally necessary.

Frequently Asked Questions

Our company doesn't use the Solid Protocol. Why does this research matter to us today?

It matters because the core governance problem Solid reveals—unclear data controller responsibility across multi-party architectures—is almost certainly present in your existing cloud and SaaS environment right now. Most enterprises have dozens of third-party data integrations where the controller/processor boundary is either contractually ambiguous or technically misrepresented. ISO 27701 Section 6.5.2 requires organisations to have documented agreements with all processors, and GDPR Article 28 is explicit about what those agreements must contain. This paper's analytical framework gives compliance teams a structured method to audit those boundaries before a supervisory authority or a data breach forces the issue.

What is the difference between a data controller and a data processor, and why does it matter for GDPR and ISO 27701 compliance?

A data controller determines the purposes and means of personal data processing and bears primary legal responsibility for GDPR compliance, including notification obligations, data subject rights fulfillment, and DPIA requirements under Article 35. A data processor processes data on behalf of a controller and is bound by the controller's instructions, with obligations primarily defined in the processing agreement under GDPR Article 28. ISO 27701 mirrors this distinction: Annex A applies to controllers, Annex B to processors, and many controls differ substantially between the two. Misidentifying your organisation's role—or failing to define the roles of your vendors—creates direct compliance exposure under both GDPR and Taiwan's Personal Data Protection Act Article 4, which similarly distinguishes between data collectors and data processors.

How does ISO 27701 certification help demonstrate GDPR compliance to international business partners?

ISO 27701 was designed explicitly as an extension of ISO 27001 to address the privacy management requirements introduced by GDPR and equivalent regulations. Its Annex D provides a mapping table directly correlating ISO 27701 controls to specific GDPR articles, making it the most internationally recognised framework for demonstrating GDPR-aligned privacy governance. For Taiwanese enterprises seeking to work with European partners or customers, presenting an ISO 27701 certification—issued by an accredited third-party certification body—provides a credible, auditable demonstration of privacy compliance that is far stronger than a self-declaration. It also provides a structured foundation for executing and documenting DPIAs in a manner that satisfies GDPR Article 35's documentation requirements.

How long does it realistically take for a mid-sized Taiwanese enterprise to achieve ISO 27701 certification, and what are the key milestones?

For a mid-sized enterprise without existing ISO 27001 certification, expect 12 to 18 months from project initiation to certification audit. For organisations that already hold ISO 27001, the timeline shortens to approximately 3 to 6 months. Key milestones are: Month 1—Gap Analysis against ISO 27701 requirements, establishing baseline; Months 2 to 3—PIMS policy and procedure documentation, including privacy notice templates, Records of Processing Activities (RoPA), and DPIA procedures; Months 4 to 6—Control implementation, staff training, and integration with existing ISMS; Month 7—Internal audit and management review; Months 9 to 12—Stage 1 and Stage 2 certification audits by accredited body. Winners Consulting's 90-day PIMS foundation service covers the critical first three milestones, enabling enterprises to demonstrate meaningful compliance progress to stakeholders immediately while the full certification process continues.

Why should Taiwanese enterprises choose Winners Consulting Services Co. Ltd. for PIMS and privacy compliance advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) occupies