May 25 2018 was a seminal moment in the fight for digital privacy as GDPR became enforceable across the European bloc. The new EU regulation replaces the existing Data Protection Directive, which was established before internet adoption was widespread and was doing little to protect the vast ocean of online data of European citizens.
Being a directive, the previous framework was flexible and open to regional interpretation. In stark contrast, GDPR is a regulation and sets out a series of precise requirements in order to ensure the protection of personal data. Companies found to be non-compliant are at risk of hefty fines. The maximum fine that can be imposed for the most serious infringements is 4% of annual global turnover or €20 million (whichever is greater). For less serious infringements, a fine of up to 2% of global annual turnover can apply. Either way, the threat of such significant fines has sent shockwaves through organisations of every shape and size.
At BestVPN.com, we believe that digital privacy is a fundamental human right. With state funded mass-surveillance initiatives and multinationals collecting and analysing yottabytes of personal data, our right to privacy in under direct threat. Any legislation which protects the right to privacy must be seen as a positive step. As a result, we fully support GDPR and believe that everyone in our industry should do the same.
BestVPN.com has produced this GDPR report in and effort to increase transparency and promote positive industry-wide change.
To gain a comprehensive understanding of how VPN providers have handled the change in legislation, BestVPN.com adopted a two-phase approach to its research. First, we approached leading providers directly and asked if they’d be willing to fully document their policies and processes using a series of questions created by our third-party compliance advisers.
We then scrutinised the privacy policies and notices for each of the major providers, comparing them to the requirements stipulated in the regulation.
BestVPN.com contacted nine of the leading providers and asked them to conduct a voluntary audit of their GDPR processes and policies.
- Have you installed a data protection management system in order to ensure and be able to prove that your processing is in compliance with the GDPR?
- Were you able to get rid of all unnecessary user information? (address, postal code, ZIP code, etc.)
- Were you able to get rid of all unnecessary user information in any 3rd party app you use?
- What personal data is processed? (e.g. name, address, telephone number etc.)
- Why is this personal data processed? For what purpose are they used?
- Were you able to get rid of all user data in every 3rd party software you’re not using anymore?
- Were you able to get rid of all tracker software on your website? * If not, which ones are you using at the moment and why?
- Users need to be able to download all their data. Are you able to do that?
- The right to rectification – if the information is wrong or incomplete the customer can ask for it to be changed. Do you have that option?
- Users need to be able to request removal of their entire account and their user data. Can your users do that?
- Users need to have the right to be informed about any changes in our business that can affect them and their data. Do you have a protocol for that?
- The company’s GDPR statement needs to be presented in its:
- End-User License Agreement
- Terms of Service
Can you confirm this is the case?
- How does your company categorize personal data?
- Can you confirm you have the following?
- Data Flow Chart
- Data Protection Policy
- Information Security Policy
- Acceptable Use Policy
- Confidential Data Policy
- Password Policy
- Physical Security Policy
- Who has access to server information within the organisation/outside the organisation?
- Who authorizes such access?
- Network Security Policy
- Wireless Network and Guest Access Policy
- Remote Work Policy
- Email Policy
- Incident Response Policy
- A signed Contract that states the policies mentioned above have been read and understood.
- Do you currently have a Data Protection Officer?
- To whom does the Data Protection Officer report?
- What responsibilities does the Data Protection Officer have?
- Are written agreements in place between your organisation and the data controller that outline how personal data should be processed?
- How do you check that there has been no internal unauthorized access to personal data? What data audit facilities/mechanisms are in place?
- How is personal information terminated?
- Who authorizes termination? Who carries out termination?
- External Contractors and Involvement of third parties:
- Do you engage third parties for the execution of your activities (processors)?
- Are there clear instructions in the contract detailing what happens to the data at the end of the contract period?
- Under the contract with the data controller, are you responsible for the destruction of the data?
- What agreements are in place with contractors who provide shredding facilities/services?
- Do the sub-processors used by your organisation use any other organisation to perform that service on their behalf? If so, list the organisation and any written arrangements in place with regards to the service these sub-contractors offer.
- How often do you have Security Audits?
- Do you have GDPR Educational Materials?
- Do you have Educational Materials for the team?
- Also, do you have separate Educational Materials for the Customer Support Team that contains relevant information for the customers?
GDPR isn’t just about being compliant, it’s about demonstrating that compliance to both the regulators and to data subjects. As a result, terms of service and privacy policies are more important now than ever before. They are the first and last line of defense. Without communicating policies to customers, organisations are failing to meet the requirements of the legislation, regardless of whether or not their data handling policies are compliant. Article. 13 of GDPR states that data controllers should provide the following information:
- the data controller’s identity and contact details
- details of your data protection officer (if they are required to have one)
- the purpose and legal basis for data processing
- where the legal basis for processing is legitimate interest, what that interest is
- where the legal basis is consent, the right to withdraw consent at any time
- the existence of individual’s rights (known as data subject rights)
- with whom you will share personal data (named parties or categories of recipients)
- whether you plan to transfer data to third countries and what safeguards will exist
- how long theywill keep the personal data for (or details of your retention criteria)
- the right to lodge a complaint
- if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data
Furthermore, Article. 12 states that this information should be communicated in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Using Article 12 & 13 as a template, BestVPN.com scrutinized the privacy policies of the top 14 providers in the industry looking for the following metrics:
- Is GDPR explicitly mentioned in policy?
- Does policy state:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
- Is the policy easy to find?
- Is the policy easy to understand?
- Are there terms that are in contradiction to GDPR?
Conclusion: BestVPN Analysis
Despite having more than two years to prepare for GDPR, our research suggests that the VPN industry still has some way to go before it can claim to be compliant with the new regulation. There are a number of standout providers that have implemented the policies and processes necessary to ensure compliance.
Private Internet Access, Buffered, Tunnelbear and Cyberghost should be commended for their proactive approach to GDPR. Their willingness to fully document their processes and policies is a clear indication that they understand the importance of the new legislation and have chosen to openly communicate exactly what these changes mean for their customer base.
Unfortunately, our research suggests that a great many companies have failed to take the necessary measures to ensure compliance out of the gate.
It should be noted that our analysis of privacy policies and notices is just that – an analysis of privacy policies that have been made publicly available. Just because a provider has not explicitly stated a policy does not mean that there is not have one in place.
That said, GDPR guidance clearly states that these policies must be clearly communicated to the data subject. So whether or not any given policy is in place, by not communicating it within the terms of the site, many providers are failing to meet their obligations to their users.
This is a fluid situation and many companies are still working hard to ensure compliance. We will work with providers and update this page on a regular basis so that BestVPN.com readers have the most up to date information available.
Update: Comments from the industry
Private Internet Access
Not only is GDPR an important step in protecting the fundamental right to privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry. We’re proud to provide the highest level of privacy for our customers."
The GDPR is an important privacy win for the VPN space. It's going to help customers be more confident in the logging claims of their provider. At TunnelBear, our customers can use a Data Subject Access Request to download, update and delete any of their Personal Data. We've also made this feature available to all of our customers, regardless of where they're located."
Appendix: Understanding your rights under GDPR
Right to be informed
The first important part of GDPR is the right to be informed. This part of the regulation makes it a legal requirement for firms and organizations to tell you in advance what personal data is being processed about you and why. GDPR means that there are no nasty surprises later on: all personal data must be taken with your complete foreknowledge.
As an individual, GDPR provides the opportunity for you to demand to know what personal data is held on file about you by any business, non government organization (NGO), or government institution (these are referred to as processors and controllers in the GDPR legislation). This is called the right of access.
So, what constitutes personal data? GDPR classifies personal data as any information about you that allows you to “be directly or indirectly identified.” Examples of personal data include your name, address, identification numbers, and location data or online identifiers such as an IP address.
The new rules mean that companies and organizations can only hold these personal details about you “for specified, explicit and legitimate purposes”. What’s more, they can only hold your data while it is directly needed for the purposes that they acquired it. They cannot process it for any secondary reasons whatsoever.
The rules are strict and if, for example, you give your CV to a company to apply for a job – the firm cannot keep that CV on file just in case another job comes up in future. This is because that would require storing the data for a secondary reason, which is illegal.
Pseudonymized personal data
GDPR differs from current privacy laws such as the UK’s Data Protection Act 1998 because it includes pseudonymized data within the parameters of the definition of personal data. If pseudonymized data could be used to identify an individual under any circumstances then it qualifies as personal data.
Special category data
This is the name given by GDPR to sensitive personal information. It is a high-risk subcategory of personal data. It includes genetic data and biometrics, information about religious and political views, sexual orientation, health, race, and other sensitive details. This kind of data is subject to even more rigorous controls.
Right of access
From 25 May, firms should no longer store any of your personal data on file unless it is “necessary” for an ongoing process that you have agreed to. This is where your right of access comes in useful.
As soon as GDPR comes into effect, you can ask any organization to tell you exactly what personal data they have about you. The firm has 30 days to comply with your request.
Right to rectification
Having invoked your right of access, you will be presented with detailed account of what personal data is held about you on file. The right to rectification allows you to make that firm update any personal data about you that is incorrect. If it is incomplete you can ask for it to be updated. You can make a rectification request verbally or in writing and it must be processed within 30 days.
Right to erasure
GDPR gives you the right to ask firms or organizations to delete your personal data. This part of GDPR also enshrines the “right to be forgotten,” confirming the legal basis by which individuals can ask search engines like Google to delist search results that are of detriment to the individual.
It is worth noting that the right to erasure is not absolute, so there will be cases when firms or organizations are able to keep your data even if you ask for it to be erased.
With the right to be forgotten, for example, search results may remain available to the general public if is in the public’s best interest to be able to continue to access it. This is the case when past convictions could reasonably affect citizens decision making process now or in the future.
However, as per the right to be informed, whoever is holding personal data about you will need to explain exactly why it has a compelling legal right to continue processing that data.
Right to restrict processing
In addition to asking for data to be erased, citizens can limit the processing of their data. Sometimes, people may want certain records to be kept on file because of an ongoing legal dispute, for example. In those cases, the individual can ask a firm to hold onto the data for future use, but forbid them from processing it in the meantime.
Right to portability
This allows you to easily move your personal data from one location to another, or between one firm and another. This gives any individual full control over his or her data in a way that gives them ease of access to their own data, without the need to keep providing and duplicating it.
Right to object
This is closely related to the rights to erase and rectify. However, it is useful of its own right because it gives individuals the specific right “to stop their data being used for direct marketing.”
Like the right to erasure, this right is not absolute and controllers or processors of data may be able to prove they have a legitimate right to continue processing your personal data under some circumstances.
Rights relating to automated processing and profiling
Finally, GDPR gives people the right to question the use of automated systems that process their personal data. Consumers must give consent for automated processing to happen unless it is “necessary for the entry into or performance of a contract” or has been “authorised by Union or Member state law applicable to the controller.”
GDPR allows anybody to request human intervention or challenge a decision that is made by an automated system. This ensures that no arbitrary biases or prejudices cannot be challenged.
GDPR rights of individuals – Should you invoke them?
GDPR is outstanding privacy legislation that massively increases the rights of individuals. The rights above allow anybody to have direct control over the data that firms hold about themselves. If you have any reason to question a controller or processor of your data, or have concerns about how your data is being processed you are well within your rights to ask for information.
In the event that you cannot get the data you want from a firm, a complaint should be lodged with the Information Commissioner’s Office in the UK and the European Commission within the EU. These are the bodies responsible for enforcing the new legislation.