Skip to main content

Ahead of GDPR (the General Data Protection Regulation) coming into effect on 25th May, I've put together a handy guide to show how you might want to run your strategic re-permissioning campaign with the new advanced privacy tools in NationBuilder.

1. Assess the data

Take a look at your database to establish which groups of people in your nation fall into the following categories:

a. Those who have given you explicit consent to communicate with them about everything (in a manner compliant with GDPR)
b. Those who have given you some explicit consent to communicate with them, but not granular consent
c. Those who have not given you any explicit communication consent

For people in the second category, you might have explicit consent to contact them about your weekly newsletter but not your monthly donation campaign. In this case, you'd need to seek explicit consent if you want to contact them about donations, too.

Please note: These three categories should exclude people who have previously unsubscribed from receiving your communication in the past, since you can’t re-permission people who have already opted out on previous occasions.

2. Define consent needs

Make sure you identify which consent types you need to continue carrying out your current work streams.

Obtaining explicit consent requires you to define and communicate the following three things:

a. How often will people receive communications?
b. What type of content is contained these communications?
c. In which medium will you be communicating? E.g. text, email, postal etc.

For example, you might outline your intention to send a weekly email newsletter, or a monthly email donor appeal.

Here's a handy summary of what is required to obtain consent under the GDPR, and you can watch our past webinars for additional guidance here.

3. Enable advanced privacy tools in your NationBuilder nation

Once you have identified the explicit consent permissions you need, you should enable advanced privacy tools in your nation.

4. Create consent types

Before you create your consent form in NationBuilder, you'll want to set up your consent types. If the consent you are seeking relates to email, SMS, social media matching, or cookies, specify that respective feature as the “type.”  If the consent you are seeking relates to a different type of processing unrelated to NationBuilder features - e.g., phone calls or postal - you can still create a consent accordingly and leave the processing type blank.

5. Write consent forms

Next, you will need to create the actual consent form that people will see as part of your re-permissioning campaign. This page might contain several different consent requests. This is an opportunity to share with your audience why you are asking for their explicit consent to contact them going forward, then list the consent(s) you’d like from them.

You may want to ask:

  • Can we email you our weekly newsletter?
  • Can we contact you about events near you?
  • Can we email you our monthly fundraising newsletter/appeal?

Again, please make sure you seek your own legal advice on how and who to get explicit consent from for your organisation.

Advanced: There might be cases where you prefer more than one consent form. For an example, if someone has already given you explicit GDPR-compliant consent for you to contact them about future petitions and events, then you may want to create another form to ask them only about things for which you don't yet have their explicit consent.

6. Outline a communication strategy

Once you have identified and set up the types of consent you need, it's time to segment your list. Here are three different approaches you can take (it's totally up to your own organisation’s preference and legal advice), and some steps to follow for how you best can implement them in NationBuilder.

Approach A:
Contact everyone (all three categories from Step 1) and ask them to give you explicit consent to all of your communication options. This is the easiest but least customised way of gaining explicit consent from everyone, and can be a good idea if you haven’t done any data clean-up within the last six months.

Approach B:
Contact everyone who has either not given you any or only given you some explicit consent, and ask them to update all their consents in one go (even if you've received some explicit consent from them previously).

Approach C:
Segment your communications into two (or more) groups and ask them only about what is relevant to them:

a. Send a request for all your consent options to the people who haven't given you any explicit consent
b. Send a request for specific consents to the people who have already given you consent for some forms of communication

To batch update any explicit consent you already have, please follow the steps outlined here.

7. Create target audiences

Having decided which approach is right for you, you can build your target audience. First you need to create a filter for each segment you want to target, using the approach you selected above (as well as your data) to guide how many different filters you need to run.

For a GDPR re-permissioning campaign, I’d suggest you add each filter to a static list, as it will make it easier to identify who you have contacted and distinguish them from any new people joining your list between now and 25th May.

If you go that route, then later on you can filter for everyone who has not been re-permissioned by selecting ‘list’ and ‘is on none of the following lists,’ then select the lists of your audiences that you have contacted with your re-permission communications.

8. Start a path to manage your re-permissioning campaign

The next two steps may make your life easier in the long-run.

Create a path to manage the process of your re-permissioning campaign. You may want to send multiple emails to your audience as part of this process, just in case people in your audience miss your first re-permissioning message. If so, your path may look similar to this:

Ensure that you also set up a reason for path completion to record those who have responded to your re-permissioning campaign - either by giving or declining to give consent.

If you do more advanced targeting of specific groups, you can create a path for each of those groups to manage your workflow.

9. Email the consent form

Now you’re ready to email your audiences to get their consent. The number of emails will again depend on your own approach. Our email function allows you to send each person a unique token, so you have a log of exactly who, when, how, where, and to what people consented (which is a key part of GDPR).

Access our step-by-step guide here.

10. Check to see who has responded

If you are sending out more than just one re-permissioning email, you'll want to ensure that you exclude people who have already given or denied consent from your list for subsequent blasts. By creating a similar filter to the one below for each of your ‘did consent’ and ‘did not consent’ options, you can see who has responded to your re-permissioning campaign.

Once done, create a filter tag which will be automatically added to someone’s profile if they match the filter criteria - making it easier for you to tell what someone has consented to.

With those tags in place, you should remove all who did or did not consent from your list to ensure you don’t email them again as part of your re-permissioning campaign.

11. Monitor progress

If you like metrics, or you’re required to report on how many people has responded to your campaign, then you can set up a goal tied to the path created in step 8. I’d suggest creating a list based on the filter in step 10, and then batch updating the path to ‘complete’.  This way, you can see exactly who has responded so far:


Line Kristensen, Enterprise Account Manager


The information offered here and other NationBuilder GDPR and data privacy-related pages is not legal advice for you or your company to use to comply with the GDPR or other (European) data privacy laws. NationBuilder cannot offer legal counsel.

Instead, we are providing information about the steps we have taken to become GDPR compliant ourselves and the product features and services we offer (and will offer in the future) to help our customers use our products in a GDPR compliant manner. We can also help aggregate some GDPR resources (i.e. best practices, links to other resources we have found valuable, etc.) for you to consider in your own research and on your own GDPR compliance journey. Even if some of this information is legal information, it is not the same as legal advice, where an attorney applies the law to your specific facts and circumstances. Please be sure to consult and work with an attorney to ensure you are fully compliant with all of the data privacy laws that apply to you or your company (including, if applicable, GDPR).


Share this post