General GDPR questions
What is GDPR?
Over a year ago, the European Commission (EC) approved and adopted the new General Data Protection Regulation (GDPR). The GDPR is both a legal framework for the protection and security of personal data in the European Union (EU) and a set of regulations that will apply across Europe as of May 25, 2018.
Who does GDPR apply to?
The GDPR applies to all organizations operating in the European Union (EU) and processing “personal data” of EU residents. Personal data is defined as “any information relating to an identified or identifiable natural person.” This definition is notably much broader than “sensitive information” or “personally identifiable information,” which are the more narrow definitions of the data to which a regulation might apply (sometimes seen in other privacy and data security regulations).
When does GDPR become applicable?
On May 25, 2018.
What if my business is not in the EU but I do business with EU companies?
You will still have to comply with the Regulation. Non-EU organisations that do business in the EU with EU data subjects' personal data should prepare to comply with the Regulation.
Does my data now have to be stored within the EU?
No. There is no obligation under the GDPR for data to be stored in the EU. The rules regarding transfer of personal data outside the EU currently remain the same.
When transferring data to the USA, the controller (i.e. “the person who, alone or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be processed”) must rely on use of approved contractual provisions such as Data Processing Agreements (see our answer below regarding DPAs) or one of the other alternative measures provided for in Law such as the Privacy Shield certification which we also have.
I am a UK organisation, with Brexit happening, does GDPR still apply to my organisation?
Yes. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. If you are a UK organisation and you are handling personal data, you will still need to comply with the GDPR, regardless of the outcome of Brexit. The GDPR will be legally effective before the UK leaves the EU and, as such, the government and the Information Commissioner have confirmed that the GDPR will apply.
What is NationBuilder doing in preparation for GDPR compliance?
NationBuilder is working to ensure our software and services are fully compliant with the GDPR when it becomes enforceable on May 25, 2018. Here are some of the actions we have taken thus far:
Analysis by a European legal firm: Earlier this year, we hired a European legal firm that specializes in data protection in the technology space. They are doing a full assessment of our product and procedures to determine if there are any gaps that need to be addressed. Our product and engineering teams are committed to delivering any necessary changes or enhancements to ensure that NationBuilder is GDPR compliant.
Updates to our policies: We are in the process of auditing and updating our current Compliance Management System and our compliance and security policies and procedures.
Data Processing Agreements (DPAs): To help our customers in their efforts to comply with protection and security of personal data regulations and better protect citizens’ data, NationBuilder has, for many years, asked our customers to enter into a Data Processing Agreement (DPA) with us. NationBuilder uses these DPAs to lay out our mutual commitments with our customers to proper data handling and to help ensure compliance with international data transfer regulations and best practices. Our DPA will be revised in light of the requirements of the GDPR. We will ask all new and current customers in the EU to sign the revised DPA. We are working to get these available to you as soon as possible. For additional information about the new DPA or to obtain a copy, please contact our support team at firstname.lastname@example.org.
Do the DPAs cover special category data about individual’s political beliefs. Will special category data be able to be stored on Nationbuilder servers?
Yes it does. The DPA actually specifically calls out ‘special category data’. The DPA mentions the following:
“Except where Union or Member State law provide that a data subject may not consent to any of the items in the following list, Customer may submit special categories of data to the Service to the extent that, under Customer’s sole discretion and control, and which is, for the sake of clarity, Personal Data with information revealing one or more of the following categories of Personal Data:
- Political party affiliation, participation, voting, contribution, and opinion data
- Religious belief and organization donation data
- Philosophical belief data
- Trade union membership data
- Ethnic data”
What should I do as a NationBuilder customer and how can I prepare for GDPR?
Although the GDPR will not be enforceable until May 25, 2018, we encourage our customers and ecosystem partners to start preparing now. We urge every organization that processes or shares personal data to start your GDPR compliance journey (if you haven’t yet). Review your security, compliance and data protection practices and products to ensure that you are ready by May 2018.
What are key areas of the GDPR I need to know about?
The definition of personal data is broader, bringing more data into the regulated perimeter. The definition of “personal data” according to the GDPR is the following: ‘personal data' means any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The bar for valid consent has been raised much higher under GDPR. The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
The appointment of a data protection officer (DPO) will be mandatory for certain companies. Article 35 of the GDPR states that Data Protection Officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Mandatory data protection impact assessments have been introduced. A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
There are new requirements for data breach notifications. Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
- Data subjects have the right to be forgotten. In a handful of circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
Cookie compliance with NationBuilder
How do I add a cookie warning for compliance with EU legislation?
All websites used in the EU must now comply with the "Cookie Law" gaining users consent to store cookies (including anything of a similar function). Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
To add your notice to your nation, please read our ‘How to’ guide here.
Consent with NationBuilder
What counts as valid consent?
Valid consent needs to be explicit. This will require you to obtain consent in a way that leaves no room for misinterpretation. This means it must be provided in a clear statement – whether written or spoken.
According to the ICO, “consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation”. Here is a good summary of what is required to obtain consent under the GDPR.
There will be two parts to this exercise; 1) you will need to gather consent (before 25th May) from the people who are already in your database in order to continue to engage with them unless you feel explicit consent was already gathered from them when you first collected their data, and 2) you will need to ensure you are collecting explicit consent from people you want to engage with after 25th May.
Creating an explicit opt-in for people already in your database before 25th May:
- You will need to create a clean and upfront opt-in campaign to repermission consent and inviting people to continue to receive communications from you.
- We highly recommend doing this sooner rather than later as most organisations are going to have to do such repermissioning campaigns and you don’t want yours to be lost in the mix.
- Only repermission those who have given you consent. Sending such an opt-in email to an individual who has previously opted out is already a breach of existing rules. Do not use this as an opportunity to try and convince those who have opted out previously.
- You will need to be clear about all the ways you might want to use it their data. This might require you to lay out the different ways in which data might be used and allow for an opt in for each use case.
Collecting data after 25th May:
- You will need to be clear and upfront about why you are collecting a data owner’s data and all the ways you might want to use it, in advance.
- Here is a good summary of consent forms and data owner consent withdrawal procedures. We cannot give you legal advice or create the consent forms for you, but the tools and features we are developing are designed to help you comply with the GDPR.
Note that consent is not a silver bullet. Consent is indeed one way to comply with the GDPR, but it’s not the only way. Indeed, the GDPR provides five other ways of processing data - some of which might be more appropriate than consent.
What is “bundled consent” and is it allowed under the GDPR?
The ICO’s guidance explains that consent requests must be unbundled, meaning that the consent requests are separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
When does consent need to be renewed?
You should review and refresh consent as appropriate and if anything changes from the disclosures you made in order to obtain the consent about how you are using the data, what kind of data you using or the purpose for which you are using the data. Also, ensure you keep evidence of consent - who, how, when and what you told users about how their data would be used, what kind of data you are using and the purpose for which you are using the data. NationBuilder is in the process of building out tools and features to make it easier for our customers to obtain and track consent.
How long is active consent valid for? Does it need to be renewed to prevent it from expiring?
According to the ICO, there is no set time limit for consent. How long it lasts will depend on the context. It is best practice to review and refresh consent as appropriate. NationBuilder is in the process of building out tools and features to make it easier for our customers to obtain and track consent.
Social Media with NationBuilder
Will it still be possible after GDPR to import followers of other social media accounts automatically? (NB functionality: recurring Twitter imports)
GDPR does not specifically address this situation, so it is not yet clear. It may also depend on the nature of the consent the various social media platforms are going to obtain from data owners in order for those data owners to use the social media platform.
It is our understanding that ‘recurring Twitter imports’ will no longer be permitted. It is our understanding that we would need to treat these people in the same manner that we would treat any list of un-contacted persons. You can reach out to these users once over a certain period of time, but cannot do any processing of their data.
Will it still be possible after GDPR to to automatically import data on the social media account of new social followers & link them to an email address via NB? (NB functionality: NB match)
First it is important to distinguish the three ways in which social data can enter your database:
1. Syncing your FaceBook and Twitter accounts which will import by default, everyone who interacts with the Twitter account. You can uncheck the box next to one or more of these options, and these profiles will not be imported.
- Followers: Everyone who follows your Twitter account is imported into your nation as a supporter.
- Retweeters & mentioners: Everyone who retweets one of your tweets in the last week or mentions you in a tweet of their own is added to your nation as a prospect.
- Accounts you retweet or mention: If you retweet or mention someone — even if they've never interacted with you — NationBuilder will add them to your nation as a prospect.
For each Twitter profile added to your nation, NationBuilder will import:
- Profile photo
2. NationBuilder match. When a supporter is added to your nation and provides an email address, NationBuilder Match will append social media information to that person’s profile.
3. Recurring Twitter imports which pulls people who follow a Twitter account into your nation.
With regards to NB Match, In most jurisdictions, yes, it will be possible. You will need to have permission from your followers (the data owners) to do so. This will require you to be clear and upfront about why you are collecting a data owner’s data and all the ways you might want to use it, in advance. You will need to flag that you will be appending publicly available social data is you which to keep NB match active in your nation. We are in the process of making this easier for our customers to disable NB match.
Here is a good summary of what is required to obtain consent under GDPR and here is a good summary of consent forms and data owner consent withdrawal procedures. We cannot give you legal advice or create the consent forms for you, but the tools and features we are developing are designed to help you comply with GDPR. In some countries in the political space (such as France), the regulation will likely be stricter for political parties and may not allow automatic imports of social media data at all. In those jurisdictions, NationBuilder Match should be turned off.
With regards to syncing up your Facebook and Twitter account, in most jurisdictions, yes, it will be possible, but it will depend largely on whether you have the permission from your followers (i.e. the data owners) to do so. Obtaining this consent can likely all be part of one consent form. See response to Q1, above.
Can I switch off NB Match today? (NB functionality: NB match)
Yes we will be giving more freedom to our customer to be able to switch on and off your NB match in your nation. Deletion of Match data is possible manually with the use of filters at the current time. We will be offering a how-to document that supports the simplest workflow to achieve this.
If I have additional questions regarding the GDPR who can I contact?
If you do not find an answer to your question please contact Toni Cowan-Brown, our VP of European Business Development [email@example.com] with the subject line ‘GDPR questions’ and we'll do our best to get back to you as soon as possible.
Last updated on 3rd April 2018