Ensuring the safety and security of the data that passes through our email, calendar, and contacts API has always been a foundational principle at Nylas. Mailbox data by nature contains highly sensitive, personally identifiable information (PII), and the handling, processing, and management of this data needs to be regulated closely. To date, the Data Protection Act has played a big role in protecting personal data throughout the EU, but there’s about to be a new sheriff in town: the General Data Protection Regulation (GDPR).
In this article, we’ll review GDPR and how Nylas works to uphold all of our data to the highest security standards, including GDPR compliance.
An Overview of the EU General Data Protection Rule
On May 25, 2018, the EU’s sweeping new GDPR goes into effect and it impacts more than just companies based in the EU. GDPR applies to non-EU based companies like Nylas that provide services to EU customers or where personal data is obtained in the EU and transferred outside of the EU.
What qualifies as Personal Data?
The GDPR definition of personal data is one that is ever-expanding and is deliberately very inclusive. Personal Data includes a person’s name, location data, and more.
The GDPR carves out higher protections for "Sensitive Personal Data" which includes information regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health.
What are Nylas’s Obligations Under GDPR?
There are two main parties that are responsible for GDPR compliance:
- Data Processors (Nylas): A data processor is a person, company, agency or other body which processes personal data on behalf of the controller. For example, the Nylas API enables two-way email sync for our customers and their end-users - this process qualifies as “data processing.”
- Data Controllers: (Nylas’s customers -- customer relationship management software, applicant tracking systems, productivity software, etc): Controllers are a person, company, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. All compliance requests from data subjects are first vetted by data controllers.
As a data processor, Nylas is responsible for the following:
As a data processor, Nylas complies with GDPRs “right to be forgotten”, which means that users have the right to delete all of their stored data (e.g. email, calendar, and contact data) with Nylas. The data deletion happens as soon as possible, no later than 30 days after the request is sent.
Users can download a copy of the data (email, calendar, contacts info) that has been processed through Nylas in a machine readable format.
In the unlikely event of a breach, Nylas will notify our customers as quickly as possible - no later than 72 hours after a breach takes place.
How Does Nylas Ensure It Maintains GDPR Compliance?
As our product evolves, we always take data privacy into account. Where possible, we use pseudonyms to protect personal data and we take other measures to minimize the amount of data we process while we aim to achieve compliance with data processing rules.
What About US Privacy Laws?
In the US, there is no single comprehensive federal law that rivals the GDPR and protects personal data. Instead there are a number of federal laws that cover particular pieces of information, such as:
- The Federal Trade Commission Act (“FTC Act”) is a federal consumer protection law that prohibits unfair and deceptive practices. More recently, the FTC Act has been applied by the Federal Trade Commission in enforcement cases against companies for failing to comply with their data privacy policies and unauthorized disclosure of personal data;
- The Children’s Online Privacy Protection Act, also enforced by the FTC, applies to the online collection of information from children;
- Banks and other financial institutions are subject to Regulation P, Regulation S-P and Regulation S-ID which limit how consumer information is shared among affiliates and service providers, require disclosure of how information is shared, allow consumers to opt out of sharing and set standards for destruction of consumer information;
- The Health Insurance Portability and Accountability Act regulates the privacy of medical information. Specifically, the Act includes requirements for sharing, collecting, transmitting and protecting medical information; and,
- The Electronic Communications Privacy Act, which regulates the interception of electronic communications and computer tampering.
In addition to the federal laws, all 50 states have enacted laws which require notification of security breaches involving personal data and others have enacted more stringent cybersecurity regulations. Nylas closely monitors this changing regulatory landscape and ensures that it complies with all applicable laws.
Succeeding with GDPR
At the end of the day, GDPR is all about putting people’s privacy first. At Nylas, we’re all about helping the world communicate with context and insight -- and we’re excited to continue to provide the best, most secure API for our customers and their end-users while giving privacy the prominence it deserves.