Skip to main content

Frequently Asked Questions about the General Data Protection Regulation (GDPR)


What is the GDPR?

In April 2016, the European Commission (EC) approved and adopted the General Data Protection Regulation (GDPR), which replaced the 1995 EU Data Protection Directive and standardizes data protection law across the EU countries. The GDPR went into effect on May 25, 2018.


Who does GDPR apply to?

GDPR applies to all organizations processing the “personal data” of EU residents, regardless of whether the organization is operating in the EU. GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” This definition includes a wide range of personal identifiers, such as name, identification number, location information, and online identifiers. “Personal data” as defined by GDPR is notably much broader than the terms used in other data protection regulations, such as “sensitive information” or “personally identifiable information.”


When did GDPR become applicable?

May 25, 2018.


What if my business is not in the EU but I do business with EU companies?

You may still have to comply with the GDPR. The Regulation applies to non-EU organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.


Can personal data continue to be processed outside of the EU?

Yes. The GDPR places restrictions on the transfer of personal data to countries outside of the European Economic Area, but such transfers are still possible if they follow the requirements of the GDPR. NationBuilder complied with the GDPR requirements by its certification under the US-EU Privacy Shield. On July 16, 2020, the Court of Justice of the European Union issued the Schrems II decision which invalidated the Privacy Shield as a mechanism for transfer of data.  However, the CJEU upheld the Standard Contractual Clauses as a valid mechanism for transfer, along with supplemental measures.  On November 13, 2020, the European Data Privacy Board issued recommendations on measures that businesses can adopt to supplement transfer tools.  These measures were subject to a comment period ending on November 30, 2020, and final recommendations will be issued thereafter.  Since GDPR went into effect, NationBuilder has included the SCCs as part of its Data Processing Agreement, which in turn forms part of the Master Terms of Service, and does not require a separate signature or click to accept.  We recognize that customers may need to implement supplemental measures to ensure compliance with the level of data protection required under EU law, and NationBuilder stands ready to work with our customers on such measures.


My organisation is based in the UK. With Brexit happening, does GDPR still apply to my organisation?

The UK’s decision to leave the EU did not affect the implementation of the GDPR. Now that the UK has left the EU, UK organisations processing the personal data of residents of other EU countries will have to continue to comply with GDPR. If a UK organisation’s activities are limited to processing the personal data of UK residents, its compliance requirements will be determined by the regulatory scheme put in place by the UK government as of January 1, 2021.


Where can I find more guidance about the GDPR and its requirements? 

Thorough guidance that can help guide you navigate the Regulation’s requirements is available from the UK’s Information Commissioner’s Office and the French Data Authority, la CNIL.


What did NationBuilder do in preparation for GDPR?

One of NationBuilder’s core tenets has always been that our customers own and manage their own data. With that comes a responsibility to provide tools that help our customers ensure that their data is protected and secure, which includes complying with applicable regulations. To that end, we have always prioritized robust compliance, data protection, and security practices. 

Read about the changes we made in anticipation of the GDPR here.


What are NationBuilder’s Advanced Privacy tools?

The Advanced Privacy suite of tools was designed with GDPR compliance in mind and provides NationBuilder customers additional data privacy tools. Using the Advanced Privacy tools, customers can:

  • Gather and manage consent for data processing
  • Gather consent for certain analytics cookies 
  • Respond to individuals seeking to exercise their rights to data erasure, data access, and data portability


What can you tell me about consent?

The GDPR provides that a lawful basis must exist for the processing of personal data. Consent from the individual whose data is being processed is one possible lawful basis. You can learn more about the principles of consent (and other lawful bases) by reviewing the guidance from the UK’s Information Commissioner’s Office. You can also check out our webinar regarding consent under the GDPR, where we provide an overview of the concepts of consent and information about NationBuilder’s consent tools.


If I have additional questions regarding the GDPR who can I contact?

Please email our team at [email protected] and we will get back to you as soon as possible.


Last updated December 2020