What is the General Data Protection Regulation (GDPR) and do I need to be concerned about it?

The GDPR is the European Union’s privacy law, which became operative in 2016. It protects the personal data of people in the EU and can apply to companies in and out of the EU. The GDPR applies to controllers and processors. Under the GDPR, a controller determines the purposes and means of personal data processing whereas a processor processes personal data on behalf of the controller. For example, an entity that collects EU personal data to subscribe individuals to a newsletter is a controller. If the controller discloses the personal data to a service provider such as Novi, Novi likely is its processor.

How do I know if I have obligations under the GDPR?

The GDPR applies to entities that process personal data of people in the EU and:

  • are located in the EU;
  • offer goods and services to people in the EU; or
  • monitor the behavior (i.e., profile) of people in the EU.

Is Novi ready to help its customers comply with the GDPR?

Yes. Novi is not subject to the GDPR, but we are ready to help our customers who are. If you are a Novi customer and subject to the GDPR, please provide Novi with your Data Processing Agreement (“DPA”) here.

How has Novi prepared to help its customers comply with the GDPR?

We have adopted the following privacy and security measures:

  • Only processing personal data according to the controller's instructions

    Novi only processes data on behalf of its customers. For example, we do not sell any customer data or de-identify customer data for our own internal uses.

  • Vetting subprocessors

    When Novi uses sub-processors such as a cloud services provider, we only choose providers that understand and are capable of complying with GDPR obligations, such as Microsoft Azure.

  • Technical and organizational measures to secure personal data

    Novi has implemented a multi-level security plan to secure our systems & protect your personal data. Personal data is always encrypted in transit and is never shared outside of individuals authorized by association staff. Novi's platform is PCI compliant for all financial transactions and personal information such as credit card numbers never touch Novi servers. Novi voluntarily submits to a yearly penetration testing and security review of our systems organized by Intuit. In addition, Novi regularly monitors its systems for any suspicious activities and is able to react proactively to any identified threats. Learn more about Novi's security measures.

  • Data breach notification

    Novi has formal incident detection and response procedures. We will notify customers quickly if we confirm that there has been unauthorized access to their data.

  • DPIAs & Responses

    For each customer for whom Novi has signed a DPA, Novi will help customers with their obligation to perform a Data Protection Impact Assessment (DPIA) and respond to EU authorities.