Naylor’s Guidance on GDPR Compliance
Naylor takes privacy concerns surrounding our use of personal data seriously.
Discover answers to frequently asked questions about the steps we take to safeguard individuals’ data and stay in compliance with the European Union’s General Data Protection Regulations (GDPR).
What is GDPR?
GDPR is a new comprehensive data protection law that replaces existing EU laws to strengthen the protection of “personal data.” It replaces the current patchwork of national data protection laws in Europe with a single set of rules directly enforceable in each EU member state. GDPR takes effect on May 25, 2018. Although EU member states have some flexibility to implement laws and regulations in certain areas permitted by GDPR, GDPR will generally streamline current data protection laws, enhancing the protections guaranteed to individuals and providing clarity to companies required to comply. GDPR applies to organizations both inside and outside of the EU that are processing the personal data of individuals in the EU. Companies, associations, and other organizations that fail to comply could face fines of up to the greater of €20,000,000 or 4% of worldwide annual revenues.
What is personal data?
GDPR broadly defines “personal data” to mean any information that could be used to identify an individual, including names, business email addresses, and account numbers. GDPR also clarifies that location data and online identifiers, such as IP addresses, are personal data.
What does GDPR require?
GDPR imposes new rules around how European personal data may be handled, including in relation to concepts of consent, transparency, profiling, recordkeeping, data breach notification, and individuals’ rights when it comes to how their data is used. Individuals’ rights include the right of an individual to request access to data about himself or herself held by an organization; to restrict the way such individual’s data is used; and, in certain circumstances, to require the deletion of such data. GDPR also requires organizations to carry out “data protection impact assessments” identifying the impact of proposed processing operations if the processing is likely to pose a “high risk” to individuals. It is important to note that GDPR includes certain principles about the technical and organizational measures that companies must have in place, but it does not include specific or prescriptive requirements implementing such principles.
Does GDPR require the personal data of individuals in the EU to stay in the EU?
No. Companies may transfer the personal data of individuals in the EU outside of the EU if they have a valid mechanism in place to adequately protect the data transfer. Those mechanisms include, for example, Standard Contractual Clauses approved by the European Commission and, for transfers to the U.S., registration under the EU‐US Privacy Shield Framework Principles.
How does GDPR apply to Naylor?
As a company providing services to professional and trade associations that have members around the world, Naylor processes the personal data of persons in the EU when it provides its services to associations with employees and members in the EU. GDPR has different requirements depending upon whether a company is a “controller” or a “processor” of the applicable personal data. Naylor will be a controller of the personal data that it collects on its own behalf, including of its customers located in the EU. Naylor generally will be a processor of personal data that it handles on behalf of its association customers, which are the controllers of that personal data.
How does GDPR affect the services Naylor provides my association?
Many of our products and services already have measures in place that address the GDPR’s requirements, and we are working to implement additional measures so we and our members can meet the GDPR’s requirements. If you are looking for information on specific measures we have incorporated into our products in preparation for GDPR, read our approach to GDPR and answers to our frequently asked questions about the regulations.
What if we think GDPR applies to the services we receive from Naylor?
Naylor has developed a standard contract addendum that describes how its services will address the requirements for data processors set forth in the GDPR. If you believe that the services Naylor provides you involve the processing of personal data from the EU, please contact us to request a copy of our GDPR data processing agreement.