In 2016, with the objective of protecting the privacy of European user’s data, the General Data Protection Regulation (GDPR) was published – and comes into force on May 25th, 2018. This decision made by the European Union will impact the entire world, and companies need to be prepared.
What is GDPR?
GDPR is a set of rules that must be adopted by all companies which operate using data from European citizens.
Why was GDPR created?
When it comes to users’ personal data, there is a lot of concern about how it should be protected. To address this, the EU-GDPR was established to watch over the freedoms and rights of users.
Are these standards restricted to Europe?
Every business that operates in Europe with data collecting or data processing is required to conform to these standards. This would involve market giants – such as Amazon, Google, Facebook and Adobe – and since they operate in Europe, they will be required to comply with the standards. This will require that other companies also adopt GDPR standards. In other words, the standards that were born in Europe will become a reference for good practices around the globe.
What is the role of anyone involved with GDPR?
Users |
Controller |
Data Processor |
Users will have the right to access, edit and/or delete their data. | If you work with data usage, this directly impacts your business. If you operate in Europe, you are obliged to follow such regulations and make them explicit in your privacy policy. If not, it is prudent to use such regulations as a guide to good practices. | As Data Processor, Navegg’s role is to follow the GDPR guidelines that apply. In addition, Navegg is a partner of its customers in this adaptation, offering information and technology. |
In a tweet: what do the GDPR standards say?
The GDPR standards detail the rights of users, ensuring access to and the right to edit their data.
What do the GDPR standards say?
The entire regulation contains 11 chapters which are available on the GDPR website. See below the main points of GDPR.
- Provide the identity and contact details of the controller*;
- Provide the contact details of the data protection company**, if any;
- Detail the motives for data processing and the legal basis for this;
- List the recipients of the data (or categories of recipients), if any;
- Cite the period for which the personal data will be stored or – if this is not possible – the criteria used to determine this period;
- Explain the possible consequences for the lack of data provision;
- Detail the source of the data, if it came from a public source and wasn’t collected directly from the user;
- Grant the user the right to rectify their data;
- Grant the user the right to withdraw consent to processing of their data at any time;
- Collecting sensitive data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or sexual orientation data can only be collected from one person) only is permitted when processing is necessary for preventive or occupational medicine purposes, for the assessment of the working capacity of the employee, medical diagnosis, health or social care delivery, or treatment or the management of health and social care systems and services on the bases of Union or Member State law or by contract with a health professional.
- The processing of a child’s data is legal when the child is at least 16 years old. In cases where the child is less than 16 years of age, processing shall be lawful only if and to the extent that consent is given or authorized by a parent or legal guardian of the child, provided that the child is not under the age of 13 years old.
*Controller is the company that determines the purposes and means of data processing.
**They are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Navegg and GDPR
Navegg company has always been concerned with following good market practices and will incorporate GDPR as a reference. In fact, many of the points addressed by GDPR have already been adopted by Navegg. Check below to see which points have been adopted and how Navegg is adapting to those which hadn’t already been adopted.
1. Provide the identity and contact details of the controller*;
2. Provide the contact details of the data protection company**, if any;
3. Detail the motives for data processing and the legal basis for this;
4. List the recipients of the data (or categories of recipients), if any;
5. Cite the period for which the data will be stored or – if this is not possible – the criteria used to determine this period;
6. Explain the possible consequences for the lack of data provision;
7. Detail the source of the data, if it came from a public source and wasn’t collected directly from the user;
From the very beginning, Navegg’s privacy policy included the information of points 1, 3, 4, 5, 6 and 7. The point 2 is in charge of our clients: they must quote us in their privacy policies.
8. Grant the user the right to rectify their data;
From the outset, Navegg made available the Your Profile on the Navegg’s Network page so that users can see how they are being classified by Navegg and, for 9 years, the Edit Your Profile page so that the information contained therein can be edited.
9. Grant the user the right to withdraw consent to processing of their personal data at any time;
Just as Navegg provides a plug-in to include the opt-in on your site, from the outset, the Opt-out page has been available to users who wish to opt-out from Navegg as well.
10. Collecting sensitive data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or sexual orientation data can only be collected from one person only) is permitted when processing is necessary for preventive or occupational medicine purposes, for the assessment of the working capacity of the employee, medical diagnosis, health or social care delivery, or treatment or the management of health and social care systems and services on the, bases of Union or Member State law or by contract with a health professional.
From the beginning of our operations, and as explained in our privacy policy, Navegg does not store or collect sensitive data.
11. The processing of a child’s personal data is legal when the child is at least 16 years old. In cases where the child is less than 16 years of age, processing shall be lawful only if and to the extent that consent is given or authorized by a parent or legal guardian of the child, provided that the child is not under the age of 13 years old.
Navegg doesn’t collect personal data. Besides, there was a good practice in the market that allowed the collection of data from adolescents between 13 and 16 years old. However, since the decision of GDPR, this category was withdrawn and only those over 18 have their data collected by Navegg. Check out an example from Navegg’s dashboard demographic tab after such update.
How to create a standars-compliant data strategy?
Companies operating in Europe that do not comply with the regulations will be fined. The minimum penalty is as high as 10 million euros or 2% of overall turnover. On the other hand, companies that do not operate in Europe will not be fined. However, they put their companies’ reputation in risk. In fact, regardless of where the company operates, a stain on reputation must be the concern of all. This may have a much higher price that the fine itself.
Navegg completes 10 years of operation and concern with the market best practices. Tha’s why, it is the ideal partner to create a stands-compliant data strategy and help you understand and adapt to market news.
If you have any doubt about GDPR, please, count on us and wite to [email protected]