What Is GDPR and What it Means For VPN Providers (and Users)

There are about 4.57 billion internet users today. This massive internet use seems to come with increased online security issues. This has then created the need to have online privacy and security. Enter GDPR. Here, learn all about this new entrant and its implication on VPN providers.

What Is GDPR?

The General Data Protection Regulation (GDPR) came into effect in May 2018. This was after the European Union recognized that there were gaps in the existing online protection laws. 

The EU then decided to revise and update these laws to regulate and protect civilians’ and governments’ interests. 

After coming into effect, the GDPR affects all organizations that share, log, or store personal information of users in Europe. 

Any company that fails to comply can then be penalized with stiff fines of up to 20 million euros. 

What Is Contained in The new Regulations?

Understanding the GDPR can be an uphill task. Here is a breakdown of its main stipulations. 

Fair, lawful and transparent processing of information

Companies processing personal data must do so in a fair, transparent, and lawful manner.

This means;

  • lawful means all data processes must be for legitimate purposes
  • Fairness requires that companies not use collected data for any other purposes outside the stipulated legitimate purposes
  • transparency means that a company must be forthcoming to users about its processing activities on provided data

Data subject rights

Subjects whose data is collected have the right to inquire about the information a company has on them, as well as what it intends to do with that information. 

This aside, data subjects can also ask for information to be corrected, lodge complaints, prohibit their data from being processed, and even request their data to be deleted. 

Limitations of purpose, data, and storage

Aside from limiting processing, companies are also expected to collect necessary data and discard personal data once it completes processing. 

For this to happen, the regulations:

  • Prohibit prohibited data outside legitimate purposes
  • Restrict the collection of data outside only what is necessary
  • Mandate that collected data be deleted once its legitimate purpose has been fulfilled


Suppose a company ever intends to use collected data for reasons outside the legitimate purpose. In that case, consent must be obtained from data subjects. 

This authorization must be clear and explicit. Once granted, the consent should be documented. Conversely, data subjects will have the right to withdraw consent at any point. 

For children under the age of 16, consent can only come from guardians or parents. 

Personal data breaches

If a data breach does occur, several steps must be taken.

Among the first steps will be informing the data protection officer. After this, data subjects should, depending on severity, be reported within 72 hours. 

Measures should then be taken to limit the risk of further unauthorized access. 

Data protection impact assessment

Upon initiating a new project or product, organizations must evaluate the impact of such changes by initiating a Data Protection Impact Assessment. 

The Data Protection Impact Assessment must be carried out every time some changes affect how an organization processes personal data. 

Data transfers

Companies that collect personal information have the responsibility to ensure all data is protected. They are also mandated to ensure GDPR guidelines are adhered to. 

This has to be the case even if a third party is doing a company’s data processing.

Data controllers must virtually ensure the protection and privacy of subject data even if it is transferred to a third party or a different entity within the same organization.  

Data protection officer

Whenever a company has a significant amount of personal data to process, it must have a data protection officer.

Once in office, the data protection officer assumes the responsibility of helping their employer navigate EU GDPR compliance.

Awareness and training

Awareness and training geared towards bringing all employees on board regarding data protection and privacy. For this to happen, originations are required to create awareness among its employees. 

This is through regular training. These should not only discuss the GDPR but also make employees aware of their responsibilities regarding the protection of data. 

Training should also help employees recognize personal data breaches in a good time. This is one way for organizations to mitigate exposure. 

The Link between GDPR and VPN 

All companies that hold data from European subjects must comply with GDPR. This includes Virtual Private Network (VPN) providers.

Its thought that VPN providers keep data. Cyber laws in China, Dubai, and even the U.S make it mandatory for VPN providers to keep user logs. 

Indeed, every VPN needs logs. Without them, these providers would not have user records. They need this information to be able to provide their clients with relevant services.

There are two types of logs:

  • Connection logs 

These are more superficial details provided by users once they sign up for VPN services. 

These details include the name and an email address to receive communication and aid them when resetting passwords. 

This information is provided consensually. However, users cannot access premium information without first providing this information. 

  • Activity logs

With activity logs, every action you take online is logged by the VPN provider. The debate around VPN’s lie therein. 

Users get VPN’s for privacy, but activity logs do just the opposite. 

How GDRP Will Affect VPN Providers

For the longest time, VPN’s had had a bad reputation for keeping logs, even when their marketing teams claimed they did not. 

At times, VPN’s do not necessarily want to keep logs; the governments and authorities they operate in mandate them to do so. 

GDPR will change this for good. 

GDPR will change this for good, for both VPN providers and users. With these new guidelines, VPN providers must safeguard a user’s security. 

Similarly, when VPN providers claim not to have any logs, users will trust this information as accurate across all VPN providers, not just a select few. 

If they go against their claims, they can be held liable and huge fines imposed on them under GDPR. 

Besides this, a VPN provider must seek user consent before sharing any user data to a third party. Users are also at liberty to request to view any information held about them, edit the same, and even request that their data be deleted. 

Final Word

GDRP has mostly been seen as a positive step towards ensuring online privacy and safety for users. 

Not just that, but it also controls how data is collected, how much of it can be managed, and how it can be used and shared. 

It will be critical for netizens to understand these guidelines and align themselves with companies that have adopted the GDRP guidelines. 

Read Our Blog

Simplify remote backup & ransomware protection


Protect your business from malware that encrypts, or locks, valuable digital files and demands a ransom to release them.


Learn about Data protection and availability across leading cloud platforms.

Software-Defined Storage

We offer greater flexibility and choice, better economics and enterprise-class service levels.

Software-Defined Storage

We offer greater flexibility and choice, better economics and enterprise-class service levels.