Brendan Tobin / May 2018
The General Data Protection Regulation (GDPR) is about to become law across the EU and the noises coming from political parties remains muted on how they are responding to the issue. GDPR is an amalgamation and strengthening of data protection to-date and seeks to bring organisations to heel on how they hold and use citizen’s data. What is does among other things is give power back to citizens (and voters) to demand what data is held on them and why. Organisations, including private enterprises, charities, and political parties, will be forced to put order on the data they hold and get ready for the new regime. Non-compliant entities will be open to fines of up to €20 million or 4% of annual global turnover.
But why does it matter? After all, haven’t we been doing fine up until now without it? Well, because the clichés are correct, data is power and those who have the most data can use that power to target and manipulate ordinary citizens. If we are to learn anything from the Cambridge Analytica scandal that broke recently it is that data can be stripped from you very easily if you are not paying attention. This data can then be used to influence you to do things like buy the latest pair of sneakers, or in the case of Cambridge Analytica, vote for Donald Trump.
The fact is we have become very accustomed to this environment where we are complicit in giving up our personal data in exchange for ‘free’ services like Facebook. As the new adage goes, if you’re not paying for it, you are the product! We live in a world that has normalised the harvesting of data, and the packaging of that data to organisations that seek to use it to influence us. GDPR is the beginning of the fight back against this trend and to say that this situation is not normal.
So where are political parties and the political industry with this? The majority of parties seem to be taking steps to address this issue within their existing ways of operating, rather than setting out a whole new method of operation. Parties clearly need to hold information about voters in order to represent them but the legislation is far from a blank cheque to hold on to data indefinitely. Under Recital 56 of the legislation:
“Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.”
So it is permitted to collect personal information in the course of electoral activities with appropriate safeguards. However, because there seems to be some grey area, political parties are not preparing as thoroughly as commercial organisations who are more obviously in the crosshairs. The most obvious points of danger for parties are around data breaches (and how they respond), and subject access requests from voters that may swamp their internal administration systems.
So what is the likely impact on the way political parties will be forced to operate post-GDPR?
- Political parties will need to hold this data securely, i.e. on cloud-based servers in Europe with data encryption and access security
- Parties will need to inform the data subject why they are holding this data and what the legal basis is for that, such as Consent or Public Interest
- Parties will need to treat that data almost like money in so far as they have to tell a data subject what they have (if the voter requests it) and will have to delete or transfer the data to a third-party as requested
- Parties will need to train all elements of their organisation regarding best practice around data privacy and collection
Non-compliance will bring real financial and reputational damage to political parties. Those organisations that have built large grassroots memberships that speak to voters directly and regularly may be the best placed to respond to the challenge of less information being held on the electorate at large. It is not all bad news for those who are ready to take advantage, as Peter Wilson of Specialist says, “Organisations should think of GDPR as a communications opportunity and not a burden. GDPR will bring an unheralded purge of unsolicited emails. At this very moment, voters across the continent are seeing their inbox swell with requests for consent. After 25 May, most inboxes will fall silent for the first time in decades.”
It will be interesting to see how the first few months of the legislation play out for parties and how they will respond to their new obligations.