The information offered on this page is not legal advice. NationBuilder is providing general information about GDPR and about the steps we have taken in preparation for GDPR. Even if some of this information is about regulatory requirements, it is not the same as legal advice, where an attorney applies the law to your specific facts and circumstances. Please be sure to consult with an attorney about specific compliance requirements for you and your organisation.
What is GDPR?
In April 2016, the European Commission (EC) approved and adopted the General Data Protection Regulation (GDPR), which replaces the 1995 EU Data Protection Directive and standardizes data protection law across the EU countries. The GDPR went into effect on May 25, 2018.
Who does GDPR apply to?
GDPR applies to all organizations processing the “personal data” of EU residents, regardless of whether the organization is operating in the EU. GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” This definition includes a wide range of personal identifiers, such as name, identification number, location information, and online identifiers. “Personal data” as defined by GDPR is notably much broader than the terms used in other data protection regulations, such as “sensitive information” or “personally identifiable information.”
When did GDPR become applicable?
May 25, 2018.
What if my business is not in the EU but I do business with EU companies?
You may still have to comply with the GDPR. The Regulation applies to non-EU organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.
Can personal data continue to be processed outside of the EU?
Yes. The GDPR places restrictions on the transfer of personal data to countries outside of the European Economic Area, but such transfers are still possible if they follow the requirements of the GDPR. NationBuilder complies with those requirements by maintaining its certification under the US-EU Privacy Shield.
My organisation is based in the UK. With Brexit happening, does GDPR still apply to my organisation?
The UK’s decision to leave the EU did not affect the implementation of the GDPR. After the UK exits the EU, UK organisations processing the personal data of residents of other EU countries will have to continue to comply with GDPR. If a UK organisation’s activities are limited to processing the personal data of UK residents, its compliance requirements will be determined by the regulatory scheme put in place by the UK government after the UK exits the EU. It is expected that such legislation will largely follow the GDPR.
Where can I find more guidance about the GDPR and its requirements?
What did NationBuilder do in preparation for GDPR?
One of NationBuilder’s core tenets has always been that our customers own and manage their own data. With that comes a responsibility to provide tools that help our customers ensure that their data is protected and secure, which includes complying with applicable regulations. To that end, we have always prioritized robust compliance, data protection, and security practices.
In anticipation of the GDPR, we analyzed our product and practices to determine any updates that were needed. We then made the following changes:
- Data Processing Addendum (DPA): We updated the Data Processing Addendum to our Master Terms of Service. The DPA sets out the respective roles of NationBuilder and our customers regarding the processing of personal data and our mutual commitments relating to compliance with the GDPR .
- Product: We expanded and updated our suite of product features to address our customers’ needs for tools that help collect and manage data in compliance with GDPR. Including tools to:
○ Gather and manage affirmative and specific consent on all website pages and run customized re-permissioning campaigns.
○ Enable a website banner to gather consent for certain analytics cookies.
○ Provide a full download of a person’s data in response to requests under the GDPR rights of access and data portability.
○ Permanently remove a person’s record from a customer’s database in response to a request under the GDPR right of erasure.
○ Enable or disable NationBuilder Match on a database-wide or individual record basis.
- Data Protection Officer: We appointed a Data Protection Officer, who can be reached at email@example.com
- International Data Transfers: We are maintaining our certification under the US-EU Privacy Shield to handle transfers of data to countries outside of the EU in accordance with the GDPR’s requirements.
- Vendor Agreements: We updated the contracts with our subprocessors to reflect the same data protection standards to which we hold ourselves.
- Data Protection by Design and by Default: We committed to continuing to proactively apply data protection by design and by default principles in building and enhancing our products.
What are NationBuilder’s Advanced Privacy tools?
The Advanced Privacy suite of tools was designed with GDPR compliance in mind and provides NationBuilder customers additional data privacy tools. Using the Advanced Privacy tools, customers can:
- Gather and manage consent for data processing.
- Gather consent for certain analytics cookies.
- Respond to individuals seeking to exercise their rights to data erasure, data access, and data portability.
- Switch NationBuilder match on and off and manage match data.
What can you tell me about consent?
The GDPR provides that a lawful basis must exist for the processing of personal data. Consent from the individual whose data is being processed is one possible lawful basis. You can learn more about the principles of consent (and other lawful bases) by reviewing the guidance from the UK’s Information Commissioner’s Office. You can also check out our webinar regarding consent under the GDPR, where we provide an overview of the concepts of consent and information about NationBuilder’s consent tools.
If I have additional questions regarding the GDPR who can I contact?
Please email Toni Cowan-Brown, our VP of Strategic Partnerships [firstname.lastname@example.org] with the subject line ‘GDPR questions’ and Toni will get back to you as soon as possible.