General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)


As part of the National Democratic Institute (NDI) ongoing mission to work for democracy and make democracy work around the world, we are updating some of our policies to ensure the privacy of those who interact with the Institute.

Please feel free to review NDI's updated privacy policy, data retention policy, and terms and conditions. These changes, as well as changes to our online platforms, are intended to bring them into alignment with General Data Protection Regulation (GDPR). A phased approach to compliance is described below.

What Is GDPR?

GDPR, also known as EU Regulation 2016/679, is designed to strengthen and unify data protection for the personal information of all individuals (“data subjects’) affected by the regulation. GDPR provides the context, guiding principles, and governance framework for collecting and processing personal data. Organizations with more than 250 employees (or all organizations wherein processing of personal data is not occasional or includes particular types of sensitive personal data) and that store personal data of those individuals within EU states, must comply with the GDPR, even if the organization is located or operates outside the EU. On May 25, 2018, it went into enforcement, replacing the Data Protection Directive (Directive 95/46/EC) of 1995.

A key focus of the regulation is on the data controllers and processors that manage personal data. The GDPR highlights expectations of the data controllers and processors to implement appropriate technical and organizational measures to maintain the confidentiality, integrity, and availability of personal data.

Our Roadmap to Compliance

What We’re Doing and When

Below, find a detailed list of outcomes NDI is working to ensure our compliance and assist with the compliance of our partner organizations. A quick note on timelines: we’ve already started with many of these new initiatives and will continue to update this page as they’re implemented over the over the coming months.

But first, a quick primer on the legalese associated with the GDPR.

GDPR Primer

Let’s say that Jane Doe is a contact in one of our Google Forms (e.g. an event registration form) and an EU resident. According to the GDPR, she's called the "data subject." In this example, that means NDI is the "controller" of that data and Google acts as the "processor" of Jane’s data on behalf of NDI. With the introduction of the GDPR, data subjects like Jane are given an enhanced set of rights, and controllers and processors like NDI and Google, respectively, an enhanced set of regulations.

woman on computer

Key Requirements

The actions for the defined key requirements are applicable to all EU residents that consent to providing their data to the National Democratic Institute.

Frequently Asked Questions

When will NDI be updating its legal docs?

NDI updated its Privacy Policy on May 25, 2018. You can review the policy here.

What else is NDI doing to protect your data under the GDPR?

NDI is working toward implementing “security by design” and “privacy by design” standards to continuously monitor and protect your private information.This means NDI commits to promote privacy and data protection compliance from the start of every project and by default.

Does the GDPR require personal data to be stored in the EU? What does NDI do to ensure lawful data transfers from the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions.

I receive newsletters from NDI for which I did not give opt-in records. How do I request access to my records or request the deletion of my records?

You can contact NDI through its website. You may also unsubscribe yourself using the link at the bottom of the newsletter.

Will NDI be able to comply with the right to erasure (also known as the “right to be forgotten”)?


How will my personal information be used if I am participating in an NDI event?

NDI will collect personal information to arrange travel and to comply with audit and accounting processes. NDI may also use the personal information of program participants to report on activities to its donors.

How will my personal information be used if I am hired as a consultant with NDI?

NDI will collect personal information to arrange travel, to process consultant contracts, to issue payments, and to comply with audit and accounting processes. NDI may also use the personal information of consultants to report on activities to its donors.

Can I enter into a Data Processing Addendum (DPA) with NDI DemTools?

NDI makes available a Data Processing Addendum (DPA) for GDPR. The GDPR DPA is available to all of our programs and partner organizations. If you would like to incorporate the GDPR DPA into your existing agreement with NDI, please email us and we will promptly send you NDI's Data Processing Addendum for you to complete, sign and return to us.

Updated on July 17, 2018

Copyright 2024 © - National Democratic Institute - All rights reserved