Fines are determined by the nature and severity of the infringement

Maximum fine of 20M euros / ~$22M, or 4% of global annual turnover from the prior year (whichever is greater)

Failure to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organizations that do not ensure an adequate level of data protection. (article 44)

Maximum fine of 10M euros / ~$11M, or 2% of global annual turnover from the prior year (whichever is greater)

Failure to comply with technical and organizational requirements such as impact assessments, breach communications, and certifications. (articles 25, 32, 33, 35)

Punishments for not upholding GDPR rules

The European Council came up with a tiered approach to fines for anyone found in violation of the GDPR.

There are two levels of punishment, depending on the type and scope of the infringement.

The first penalty tier is set at up to 10 million euros or up to 2% of the company’s global annual turnover of the preceding financial year, whichever amount is higher.

The upper tier basically doubles down on the previous fine — companies are either fined up to 20 million euros or up to 4% of their global annual turnover, whichever is higher.

According to official reports, fines at the lower end apply for breaches like:

Obtaining consent for processing from an underage individual.

Maintaining records that show how data is used.

Categorizing the assembled data in any way.

Infringing on the rules regarding privacy by design and privacy by default.

Failing to notify the owner about a breach in a timely fashion.

Fines in the higher tier apply for breaches like:

Not legitimately, lawfully, and securely processing the data.

Failing to acquire consent before handling PII.

Violating the client’s right to privacy.

Failing to ensure the subject’s data is transferable.

Limiting access to an individual’s own data.

Not complying with or in any way restricting a supervisory authority’s access to the company’s data processing system.

Transferring the subject’s information without explicit permission.

Who determines GDPR noncompliance?

Since noncompliance can easily lead to some severe fines, a reasonable question often stems from all companies under the GDPR: who’s in charge of giving the final word on whether or not the regulation has been violated?

Deciding whether the data controller or processor failed/neglected to abide by the provisions is a task for national data-protection authorities.

According to the GDPR, each EU state must have an independent entity that will perform supervisory functions. These organizations are in charge of investigating cases and imposing administrative fines whenever the complaint is deemed a valid one.

Supervisory authorities start investigating companies either on their own initiative or upon a complaint lodged by a data subject.

If a company wishes to get in touch with a supervising organization, the GDPR guidebook clearly states that the supervisory authority must be located in the same country where the company in question has its main establishment in the EU. This is obviously intended to counter the risk of organizations choosing a supervisory authority they perceive as less strict.

If a company is unable to find a GDPR supervisory authority in the country it’s operating in, then the organization is expected to contact a GDPR-enforcement entity in the closest adjacent EU country that has supervisory officials.

The first steps to preparing for the GDPR

Unfortunately, there is no “one size fits all” approach to becoming compliant with the GDPR. Each business needs to examine what it needs to adjust in order to comply.

First and foremost, you need to review what’s required of you before you even start pondering how your firm can adjust to the recent changes. Understanding the current state of your security and data-processing departments is crucial; it will allow you to identify potential problems and work out how best to prevent them.

That being said, there are some relatively basic measures you should consider taking before setting foot in the GDPR era:

- Get a firm grasp on the personal information in your possession and understand with whom it is shared, as well as what terms and conditions govern its use. - Simplify your terms of service and do everything in your power to make giving and withdrawing consent as uncomplicated as possible for your customers. - Organize Privacy Impact Assessments in order to identify privacy risks to your customers’ information. - Invest in state-of-the-art security technologies that will help your business emphasize the protection of your customers’ private information. - Make sure that creating authorized electronic copies of personal data requires just a few clicks. - Have the right measures in place to promptly delete customers’ data if they request such a procedure.

Do I need a Data Protection Officer (DPO)?

Depending on your data-processing methods and the overall size of your business, it might make sense for you to hire a Data Protection Officer.

A DPO will take care of duties like informing and advising the employees about their obligations to comply with the GDPR, monitoring compliance with the rules, managing internal data-protection activities, and training staff on GDPR compliance.

A DPO is also the first point of contact for supervisory authorities.

Keep in mind that having a DPO is obligatory for public authorities (government agencies, state schools, and publicly-funded museums, for example), organizations that engage in large-scale systematic monitoring of customers (such as online shopping or banking websites), and companies in charge of processing sensitive data either for themselves or for other organizations (like businesses that collect data about prison inmates).

If your company does not fall under any of these categories, you aren’t required to appoint a full-time DPO; the decision of whether or not you hire one is entirely up to you.

Naturally, EU institutions and bodies have already appointed their own DPOs.

Updating existing security systems

Normally, installing a brand new security system is a lot easier than updating an existing one to meet the GDPR standards. Unfortunately, chances are most organizations that still aren’t prepared for the recent law changes will find themselves in the latter category. After all, the GDPR is much stricter than any other law of its kind, so your current security measures likely do not meet at least some of its demands.

To make sure you comply fully and not just partially or at all, you should check your current policies and compare them against the GDPR provisions.

Organize a working group that will identify gaps in your security policies and analyze whether the current solutions are up to par with GDPR standards of compliance.

You should also get your IT security team to map out your complete customer-information storage system and security processes. This method will identify potential shortcomings before they become a problem, as well as account for any obsolete hardware/software that may prove problematic down the line.

Consulting your local GDPR supervisory authority (or an expert) is also a sensible option. This can greatly help you evaluate the state of your security systems and where they stand in terms of GDPR compliance.

How much will GDPR implementation cost?

Although this is a fair question, answering it is far from a straightforward matter — you need to take many factors into account to get even an approximate cost estimate for your GDPR revolution.

Based on an in-depth analysis of publicly available data of FTSE 100 companies in the UK, it turns out that an average FTSE 100 firm faces a bill of around £15 million.

Keep in mind, though, that not all firms within the FTSE 100 index will have to make exactly the same investment. Factors like overall size, the complexity of IT sectors, the kind of business, and service lines are just some of the determinants that will ultimately affect how much you have to invest.

Across the pond, a PwC survey revealed that 68% of US-based companies planned to spend around $1 million to $10 million to meet GDPR requirements before the legislation came into effect. Just 9% expected to pay more than $10 million.

Some observations about the cost of becoming GDPR compliant

While identifying an exact price range for achieving GDPR compliance is challenging, some observations can give us a clearer picture of what to expect.

First of all, the cost of implementation is always directly proportional to the size of the firm.

Image resource

Furthermore, it’s estimated that most companies face an average implementation cost of £300–450 per employee across all sectors, although this varies depending on the industry.

Image resource

Image resource

From the moment the GDPR was announced, banks were expected to be the ones who face the highest implementation cost, which is not surprising considering they offer a wide range of services to large numbers of customers and have complex IT systems.

Image resource

Banks and large insurance firms aside, organizations that deal with energy, commodities, utilities, retail goods, telecommunications, and technology should all expect to have to pay around £15–19 million.

Large businesses in other sectors are probably looking at a bill of around £5–11 million.

Comparing potential fines with implementation costs

If we stick to the estimate that an average FTSE 100 firm needs to fork out around £300–450 per employee to comply with the GDPR, it’s worth comparing these implementation costs with the potential fines we spoke about earlier.

For FTSE 100 companies, the 4% of annual turnover fine — which is the maximum a firm can be charged for a GDPR oversight — equates to £800k for the smallest organizations and can go all the way to £7.1 billion for the largest ones.

Image resource

This means that, on average, a fine of 4% of revenue is actually 30 to 80 times higher than the cost of implementing changes in the first place. This illustrates that, besides being a smart move for the future, complying with the GDPR data-processing standards can actually save companies huge amounts of money in the long run.

For banks, however, a fine of 4% of revenue is actually only 13 times bigger than what the initial implementation cost is.

Blockchain and the GDPR

The centralized models of data storage we’re used to rely on the implicit premise that the custodians of our information are trustworthy. Blockchain systems, however, let math — executed and validated by a network of computers — function as a substitute for the middlemen.

Since many organizations are keen to adopt this emerging technology, it’s fair to assume some businesses would consider how blockchain software might help them transition to the GDPR era.

At least at first glance, using blockchain to solve the GDPR problem really does make sense.

However, once you pass the point of initial excitement, it becomes apparent that some of blockchain’s most important principles could actually conflict with the GDPR.

So, despite both challenging the status quo of how personal data is managed, the GDPR and blockchain don’t quite see eye-to-eye about how such a goal should be fulfilled.

Image resource

Why blockchain and the GDPR make sense together

Of course, just because two entities don’t work together now doesn’t mean they couldn’t become perfectly suited to each other, albeit with a few tweaks.

Blockchain and the GDPR could do just that.

As a distributed database that maintains a continuously growing list of records, each block in a blockchain contains a timestamp and a link to the previous block. It’s easy to see how well this aligns with the GDPR transparency requirement.

Here are some other reasons why blockchains may be perfect for securing personal data:

Blockchain technology makes use of cryptography and digital signatures to store and manage information, offering a safe way for users to authenticate their identity online. Blockchain’s decentralized nature eliminates the risk of a single point of failure, so the system’s safety is rarely questioned. Since blockchain creates encrypted blocks of ordered records, a potential GDPR adaptation of the system would provide completely traceable data.

Obstacles standing between blockchain and the GDPR

At its very core, blockchain is a governance-friendly technology that ensures the integrity of data at all times. Although that’s a very useful trait in its own right, this feature conflicts in many ways with the GDPR provisions.

In other words, great difficulties could arise in creating a GDPR-friendly blockchain:

It is almost impossible to change or delete the information contained within the blocks, so the essential requirement of data subjects being able to alter and delete their PII might prove challenging to develop on a blockchain. It’s unclear who controls data within a blockchain system, as every block is accessible to everyone on the network. The idea of personal data belonging to one individual on a blockchain could be problematic, as there’s no way of knowing who has access to that data. For a blockchain to be successful, every computer within its network needs to have a copy of the stored data, meaning that every party’s private information would be publicly available.

Enter Blinking, a multi-factor identity-management system that solves most of your GDPR problems

Blinking is a digital identity-management system that emphasizes security and shares the same end goal as the GDPR: giving individuals ultimate control over their personal information.

Blinking users are the sole owners of their identity information. They don’t have to rely on third parties to keep their data safe.

Despite all the challenges of making a GDPR-friendly blockchain system, Blinking is a clear proof that such a feat is possible. Based on some clever modifications, the programmers of Blinking have not only made it possible for users to change their data on a blockchain; they’ve created a technology that allows users to delete their information entirely.

By doing so, the coders behind Blinking have created a secure, user-friendly platform that harnesses all the good aspects of a decentralized system and uses them to comply with the GDPR rules. As such, Blinking is valuable for businesses who wish to better manage sensitive data in their possession.

Blinking complies with the GDPR by giving its users all the freedoms mandated by the recent law, all with top-level security. It provides solutions to issues with breach notifications, controlling access, deleting and moving data, and altering information. As such, Blinking provides the model for how individuals will treat their data in the future.

Image resource

Use the GDPR as an opportunity to get better

When it comes to the GDPR, it’s easy to lose yourself in the implementation costs and warnings of potentially devastating fines.

But it’s important to keep some perspective. Try to see the GDPR as an opportunity to better protect your business against cyber attacks and demonstrate your dedication to both current and future clients.

After all, if everything goes as planned, the GDPR will turn out to be the most comprehensive set of statutes and corresponding legal obligations in the history of data management.

Although the process of adapting to the GDPR might seem daunting, your business has the chance to be at the forefront of one of the biggest legal changes of the decade.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Guide summary

The General Data Protection Regulation (GDPR) is a new EU statute designed to give European citizens control over how their personal data is stored and used. Often referred to as the “Digital Declaration of Rights,” the GDPR officially became enforceable on 25 May 2018.

Although the GDPR focuses on people living in the EU, this legislation actually states that any business dealing with the personal information of EU residents is affected by it regardless of size or location.

The GDPR introduced many changes to the way companies dealing with EU citizens conduct business:

Broader territorial jurisdiction

More straightforward processes of giving and withdrawing consent

Controlled access rights

Processing as the last resort

The right to be forgotten

Distinct security measures for children

Privacy by design

Privacy by default

Data Protection Officers

Data portability

Swift reactions in cases of data breaches

Penalties for regulation violations

As far as the GDPR is concerned, everything on the following list is considered to be personal information:

Photos

Email addresses

Bank details

Social media posts

Medical information

IP addresses

Sexual orientation

Any information related to religion

Biometric data

From the moment the GDPR was in effect, the law started distinguishing between data controllers and data processors. The data controller asserts how and why personal data is processed; the data processor does the actual processing.

The European Council decided to enforce a tiered approach to fines for any firm found in violation of GDPR rules. Companies can be penalized up to 10 or 20 million euros (depending on the severity of their breach) or 2–4% of their annual global turnover — whichever amount is higher.

Determining noncompliance is the duty of local supervisory authorities; each EU state has an independent entity that performs these supervisory functions.

Since there’s no “one-size-fits-all” approach to preparing for the GDPR, getting adjusted to the new rules is far from simple. First and foremost, firms need to:

Get a firm grasp of the personal information in their possession.

Significantly simplify their terms of service.

Improve their processes of giving and withdrawing consent.

Organize privacy impact assessments.

Invest in state-of-the-art security technologies.

Implement simple processes for deleting information and making authorized electronic copies of data.

Data Protection Officers (DPOs) are in charge of monitoring compliance with the new GDPR rules. Depending on the kind of business you are in, hiring a DPO is either mandatory or optional. Having a DPO is obligatory for public authorities, firms engaged in large-scale systematic monitoring of customers, and companies in charge of processing sensitive data.

Many factors must be considered to even roughly estimate the cost of becoming compliant with the GDPR. An average FTSE 100 firm will face a bill of around £15 million, but this varies hugely depending on factors like the overall size of the business, the complexity of its IT systems, and what the business actually does. One thing is certain for everyone: Potential fines are much higher than the cost of implementing changes in the first place.

Although blockchain technology and the GDPR are fundamentally different on many fronts, the two share a lot of mutual ground.

Blinking is a multi-factor, blockchain-backed digital identity-management system that features two important solutions for businesses. Namely, Blinking KYC module and Blinking GDPR module. KYC module is a Know-Your-Customer tool based on blockchain and Blinking’s basic architecture which lowers operational costs for businesses involved in a trusted consortium. GDPR module provides businesses with an out-of-the-box solution for handling their user or customer private & personal data in line the new EU regulation.

Businesses can use Blinking to meet the GDPR essential requirements and ensure their customers’ data is secure, easily manageable, and used ethically.