Beginners Guide to GDPR Compliance in 2020

written by

Jack Foster

last updated

October 1, 2020

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many of the VPN’s we’ve reviewed have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing it may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

you may also like...

ibVPN Review

TurboVPN offers a free service, but is it worth your time? Read my thoughts in…
Read more

PureVPN Review

Based in Hong Kong, PureVPN has been running for over 13 years now and has…
Read more

VPN.ac Review

One name that is usually overlooked is VPN.ac. Should you be paying attention to this…
Read more

VPNArea Review

Is VPNArea a good choice? Discover more about this vPN provider, which is based in…
Read more

Secure VPN Review

SecureVPN boasts a kill switch and supports torrenting. Discover more about this VPN solution.
Read more

Hide My IP Review

Hide My IP has servers in 123 different countries around the world. Discover whether this…
Read more

FrootVPN Review

If you are looking for a low-cost, basic VPN, FrootVPN is certainly worth considering. Find…
Read more

BTGuard Review

Boasting high levels of security, BTGuard is a VPN well worth considering, but is it…
Read more

Browsec Review

From security to speed; discover everything you need to know about Browsec VPN.
Read more

Avira Review

Known for their antivirus product, Avira brought a VPN out in 2016. Read my full…
Read more

vpn.ht Review

Vpn.ht was created back in 2014 by the company known as Wicked Technology. is it…
Read more

VPN.S Review

VPN.S, also known as VPNSecure, is a solution worth considering if you are looking for…
Read more

SaferVPN Review

SaferVPN describes itself as the fastest and simplest VPN on the market. Bold claims! Does…
Read more

IVPN Review

Incorporated in Gibraltar, IVPN has a small server network. However, it comes with some great…
Read more

Proton VPN Review

ProtonVPN is based in the friendly jurisdiction of Switzerland. A great start, but does the…
Read more

PrivateVPN Review

PrivateVPN is a user-friendly VPN that is good for streaming purposes and combines effective encryption…
Read more

Tiger VPN Review

Based in Slovakia, TigerVPN has more than 300 servers across 42 countries. Is it right…
Read more

Ivacy Review

Ivacy has been around for quite some time now, and it certainly offers some great…
Read more

OpenVPN Review

OpenVPN is an open-source software application that many VPN providers use today. Discover more.
Read more

TorGuard Review

TorGuard is based in the United States, but can we get passed this poor jurisdiction?…
Read more

Buffered Review

Buffered VPN was recently absorbed into encrypt.me. From speeds to security, I assess this VPN…
Read more

HIDE me Review

Hide.me is a VPN that ticks a lot of boxes, especially in terms of streaming.…
Read more

AVG Review

AVG is a brand that is known around the world for its antivirus product, and…
Read more

AirVPN Review

KeepSolid offers robust VPN services for both the business and also the individual user. Delivering…
Read more

AceVPN Review

Acevpn has servers across more than 50 locations worldwide, but is it worth downloading?
Read more

ZenMate Review

ZenMate is a German VPN provider that will allow you to safely browse the internet…
Read more

IPVanish Review

IPVanish boasts an impressive line up of over 1000 servers across 60 countries. They’re by…
Read more

VyprVPN Review

A solid VPN that offers insanely good security and anonymity. From only £3.63 per month,…
Read more

NordVPN Review

NordVPN is a Panama-based VPN allowing you to connect to 4,952 servers worldwide. It’s well…
Read more