The Ultimate Guide to GDPR

GDPR for business

The General Data Protection Regulation (or GDPR) is a set of rules that, simply put, changed the way that personal information of individuals within the European Union (EU) is collected and processed.

They set up the principles for data management, by dictating the rights of the individuals. Needless to say, not applying these rules will result in enormous fines. The GDPR is obligatory to all companies that in any way deal with European Union citizens.

The law came into force on May 25, 2018, but, what exactly does it mean?

Let’s have a deeper look.

A Small Background of GDPR

Back in 2012, the European Commission set up the grounds for establishing the new reforms for data protection in the EU. The plans that were made had the sole purpose of “making Europe fit for the Digital Age”. Before this, the Data Protection Directive law of 1995, set only the minimum standards when it comes to processing data in the EU. This put users and their sensitive information at risk.

Approximately four years later, in 2016, an agreement was reached among members of the European Union that also discussed how this law will be enforced around the globe. One of these reforms was the GDPR, which applies to companies, organizations, and individuals across the world.

According to a statement from the vice-president of the Digital Single Market, Andrus Ansip, Europe’s digital future can only be built on trust. He went on by saying that people should be in control of their personal information.

Nevertheless, this new law acquired many changes, which if not followed would result in large fines. For individuals, this means that they would be more in control over their sensitive data, and for businesses, it simplified the regulatory environment.

With this being said, GDPR is beneficial for both businesses and individuals using their services. However, it’s not as simple as this, and the legislation goes way beyond this.

What is GDPR Compliance & To Whom Does It Apply?

Giving personal information is always a risky move, as data breaches can sometimes happen.

Personal Information

Your information can get stolen and reach the hands of people with bad intentions. But, before going further, it’s crucial to explain that under “Personal Information” the European Commission considers “any information that relates to an identified or identifiable living individual”.

Moreover, this also consists of different pieces of information, which collected together can lead to the identification of a particular person (name, surname, address, email address, identification number, location data etc.).

Who Needs To Comply With GDPR?

GDPR compliance means that these organizations which accumulate your personal information must legally collect it, following some stricter rules than before.

The new legislation is rather complex, thus there is no “one size fits all” approach. Mostly, it depends on the business/organization.

Each organization should examine what needs to be changed and upgraded in their Privacy Policy and who will be in charge (a controller) for ensuring what happens with the users’ personal information.

Those who manage this information will be obliged to protect it and respect the rights of the data owners. If they disobey, they will face strong penalties.

But who are they?

GDPR applies to all organizations operating within the EU, and every other organization outside the European Union that works with customers living within these territories. So, if you have a business in the US, but it offers services on a global level, including in the EU, then you should also be obliged to these rules. All these companies had a deadline and they had to prepare their GDPR strategy before this came into effect.

Two types of Data Handlers

The legislation applies to two types of “data-handlers” –controllers and processors. According to the EU definition, a “controller” is the natural or legal person, that alone or jointly with others determines the purposes and means of processing the personal data.

While a “processor” is a natural or legal person which processes personal data on the controller’s behalf. For example, if you are buying a product from an online website, the company that’s selling you the product is the controller. If the company uses an Email Automation system to email customers on their behalf, then this Email automation system is the processor.

Who Collects & Uses Data

When you think about it, almost every aspect of our living somehow revolves around certain data. For example, your government, your bank, the online companies you buy services and products from, or even social media companies, they all collect personal data. And not just collect, but this data is also processed and used by them.

Besides, think about how many times you have entered your credit card number or personal address somewhere. If it weren’t for this law, this information could easily put you in trouble.

How Will GDPR Affect You?

This can be seen from two perspectives. If you are a consumer, or a business owner that must comply with these new rules.

As a consumer

GDPR will provide you with the right to know if and when your data has been hacked. You will be notified immediately in order to take the needed measures to prevent additional harm. Besides, you will be informed of how your information is being used, and in some cases asked for consent. Bottom line, you, as a customer, will have more rights than before.

For companies

This means applying a set of new rules, or improving their existing ones, when doing business with EU citizens. According to the European Commission, this new law will save €2.3 billion per year across Europe, because it unifies Europe’s rules on data protection and creates new business opportunities.

Data Protection Officer

On another note, organizations will also have to appoint a Data Protection Officer (DPO), who will monitor the data usage. And while it’s not really mandatory, all companies that carry out such large-scale processing of information will have to have someone with the skills (or more staff members) needed in order for the company to be GDPR compliant.

This DPO can be one person appointed across various organizations and there is no criteria or qualifications for choosing one.

However, according to the Information Commissioner’s Office, this person should be a professional and have the right amount of experience in data protection law. Not having a GPO could also result in certain fines for the organizations.

What Does This Mean For VPNs?

Virtual Private Network (VPN) service providers, as companies that collect personal information from their customers, fall under this category.

VPNs collect information from the users that varies from provider to provider. Some keep less, others much more.

Nevertheless, your provider could be keeping valuable information from you, and you have every right over this information. This is why it’s so crucial for VPN providers to apply the GDPR legislation.

However, a large number of them do not comply with the GDPR rules.

In fact, a research (on VPNs) showed that out of 83 checked providers, 46 weren’t compatible with GDPR.

The research included even some of the best VPNs in the industry. It was carried out by analyzing a few aspects of the VPN’s privacy policies. More precisely: the right to be informed (as previously mentioned), the right to access your information, the right to restrict processing, to object, etc.

Some companies already blocked EU citizens from their client’s list as it was a much easier for them, than to comply with the GDPR standards. This was also the case with some of the VPN providers. It only showed just how little some providers care about their users’ personal information and rights.

VPNs to upgrade their data policies

However, this is not something optional, therefore sooner or later, eventually all VPN companies that offer services to EU citizens (and this is pretty much all of the providers) have to upgrade their data policies. They can no longer collect and use their users’ personal data as they wish, and if they do the penalties will be enormous.

What Will Be the Penalties?

If an organization fails to comply with the new GDPR rules, they can get a fine ranging from 10 million euros up to 4 percent of the company’s total annual turnover. This figure could go up to billions of euros, depending on the severity of the branch.

Mishandling personal data can result in “lower” fines, or from 10 million euros to two percent of the whole annual turnover of the company. This includes failure to report a data breach, failure to ensure the users’ data protection, etc.

For the maximum penalty of 20 million dollars, or as mentioned before, 4 percent of the of the company’s total annual turnover (whichever is bigger), companies will be charged in case they transfer this personal data without the user’s authorization, or if they ignore the users’ requests for accessing their data.

Overall, with such penalties, complying with the GDPR is good both for companies and consumers.

A Quick Sum Up

Bottom line, prior to May 2018 when GDPR came into force, companies were sending out emails to their customers in order to inform them about changes made due to the new legislation. Each and every one of us, have received this mail at least once. It’s the boring “We changed our Privacy Policy” mail that kept spamming our inbox for a few weeks before the EU law came into force.

But, the thing is that while often disregarded by users, these emails are crucial for us and the way our personal information is treated by companies. Many people are unaware of the danger they are in, or were, prior to this new law.

So, if you are a citizen of the EU, we encourage you to pay attention to your emails.

When it comes to VPN users or potential customers, make sure that the service provider that you are going to use from now on has a GDPR compatible Privacy Policy. Otherwise, you will never be entirely sure how your personal information might be misused, thus putting you in danger.

, , ,