Connect with us


The Ultimate Guide to GDPR

Last updated by


computer GDPR

The General Data Protection Regulation (or GDPR) is a set of rules that, simply put, changed the way that the personal information of individuals within the European Union (EU) is collected and processed.

They set up the principles for data management, by dictating the rights of the individuals. Needless to say, not applying these rules will result in enormous fines. The GDPR is obligatory for all companies that deal with European Union citizens.

The law came into force on May 25, 2018, but what exactly does it mean?

Let’s have a deeper look.

A Small Background of GDPR

In 2012, the European Commission set up the grounds for establishing new reforms for data protection in the EU. The plans that were made had the sole purpose of “making Europe fit for the Digital Age“.” Before this, the Data Protection Directive law of 1995 set only the minimum standards for processing data in the EU. This puts users and their sensitive information at risk.

Approximately four years later, in 2016, an agreement was reached among members of the European Union that also discussed how this law would be enforced worldwide. One of these reforms was the GDPR, which applies to companies, organizations, and individuals worldwide.

According to a statement from the vice president of the Digital Single Market, Andrus Ansip, Europe’s digital future can only be built on trust. He said that people should be in control of their personal information.

Nevertheless, this new law acquired many changes, which, if not followed, would result in hefty fines. For individuals, this means they would be more in control over their sensitive data, and for businesses, it simplifies the regulatory environment.

With this being said, GDPR benefits businesses and individuals using their services. However, it’s not as simple as this, and the legislation goes way beyond this.

What is GDPR Compliance & To Whom Does It Apply?

Giving personal information is always risky, as data breaches can sometimes happen.

Personal Information

Your information can get stolen and reach the hands of people with bad intentions. But, before going further, it’s crucial to explain that under “Personal.

Information”, the European Commission considers “any information that relates to an identified or identifiable living individual“.”

Moreover, this also consists of different pieces of information, which can lead to the identification of a particular person (name, surname, address, email address, identification number, location data, etc.).

Who Needs To Comply With GDPR?

GDPR compliance means that these organizations which accumulate your personal information must legally collect it, following some stricter rules than before.

The new legislation is rather complex. Thus there is no “one size fits all” approach. Mostly, it depends on the business/organization.

Each organization should examine what needs to be changed and upgraded in their Privacy Policy and who will be in charge (a controller) for ensuring what happens with the users’s personal information.

Those who manage this information will be obliged to protect it and respect the rights of the data owners. If they disobey, they will face substantial penalties.

But who are they?

GDPR applies to all organizations operating within the EU and every other organization outside the European Union that works with customers living within these territories. So, if you have a business in the US but it offers services globally, including in the EU, you should also be obliged to these rules. All these companies had a deadline and had to prepare their GDPR strategy before it came into effect.

Two types of Data Handlers

The legislation applies to two “data handlers” types: controllers and processors. According to the EU definition, a “controller” is a natural or legal person, alone or jointly with others, who determines the purposes and means of processing personal data.

While a “processor” is a natural or legal person who processes personal data on the controller’s behalf. For example, if you are buying a product from an online website, the controller is the company that sells you the outcome. If the company uses an Email Automation system to email customers on their behalf, this Email automation system is the processor.

Who Collects & Uses Data

When you think about it, almost every aspect of our living somehow revolves around specific data. For example, your government, your bank, the online companies you buy services and products from, or even social media companies collect personal data. And not just collected, but this data is also processed and used by them.

Besides, think about how many times you have entered your credit card number or personal address somewhere. This information could quickly get you in trouble if it weren’t for this law.

How Will GDPR Affect You?

This can be seen from two perspectives. First, if you are a consumer or a business owner, you must comply with these new rules.

As a consumer

GDPR will give you the right to know if and when your data has been hacked. You will be notified immediately to take the needed measures to prevent additional harm. Besides, you will be informed of how your information is used and, in some cases, asked for consent. The bottom line, you, as a customer, will have more rights than before.

For companies

This means applying a set of rules or improving their existing ones when doing business with EU citizens. According to the European Commission, this new law will save €2.3 billion per year across Europe because it unifies Europe’s rules on data protection and creates new business opportunities.

Data Protection Officer

On another note, organizations must appoint a Data Protection Officer (DPO) to monitor data usage. And while it’s not really mandatory, all companies that carry out such large-scale processing of information will have to have someone with the skills (or more staff members) needed to be GDPR compliant.

This DPO can be one person appointed across various organizations, and there are no criteria or qualifications for choosing one.

However, according to the Information Commissioner’s Office, this person should be a professional and have the right amount of experience in data protection law. In addition, not having a GPO could also result in certain fines for the organizations.

What Does This Mean For VPNs?

Virtual Private Network (VPN) service providers, as companies that collect personal information from their customers, fall under this category.

VPNs collect information from the users that varies from provider to provider. Some keep less, others much more.

Nevertheless, your provider could be keeping valuable information from you, and you have every right over this information. This is why it’s so crucial for VPN providers to apply the GDPR legislation.

However, many of them do not comply with the GDPR rules.

In fact, research (on VPNs) showed that out of 83 checked providers, 46 weren’t compatible with GDPR.

The study included even some of the best VPNs in the industry. It was carried out by analyzing a few aspects of the VPN’s privacy policies. More precisely: the right to be informed (as previously mentioned), access your information, restrict processing, object, etc.

Some companies already blocked EU citizens from their client’s list as it was much easier for them to comply with the GDPR standards. This was also the case with some of the VPN providers. It only showed how little some providers care about their users’ personal information and rights.

VPNs to upgrade their data policies

However, this is not optional. Therefore, all VPN companies that offer services to EU citizens (and this is pretty much all of the providers) have to upgrade their data policies. They can no longer collect and use their users’ personal data as they wish; if they do, the penalties will be enormous.

What Will Be the Penalties?

If an organization fails to comply with the new GDPR rules, it can get a fine ranging from 10 million euros to 4 percent of its total annual turnover. This figure could go up to billions of euros, depending on the severity of the branch.

Mishandling personal data can result in “lower” fines, or from 10 million euros to two percent of the whole annual turnover of the company. This includes failing to report a data breach, ensuring the users’ data protection, etc.

For the maximum penalty of 20 million dollars, or as mentioned before, 4 percent of the company’s total annual turnover (whichever is bigger), companies will be charged in case they transfer this personal data without the user’s authorization or if they ignore the users’ requests for accessing their data.

With such penalties, complying with the GDPR is suitable for companies and consumers.

A Quick Sum Up

Bottom line, before May 2018, when GDPR came into force, companies emailed their customers to inform them about changes made due to the new legislation. Each and every one of us has received this mail at least once. It’s the boring “We changed our Privacy Policy” mail that kept spamming our inbox for a few weeks before the EU law came into force.

But, the thing is that while often disregarded by users, these emails are crucial for us and the way our personal information is treated by companies. Unfortunately, many people are unaware of the danger before this new law.

So, if you are an EU citizen, we encourage you to pay attention to your emails.

When it comes to VPN users or potential customers, ensure that the service provider you will use from now on has a GDPR-compatible Privacy Policy. Otherwise, you will never be entirely sure how your personal information might be misused, thus putting you in danger.