The General Data Protection Regulation (GDPR) legislation, which is being implemented across the European Union next May, will have far-reaching implications for how political parties operate. And for those active in Europe - or intending to be next year - planning for change must begin now to avoid being caught completely off guard. It has been described as a piece of legislation with a real set of teeth and it is being taken very seriously across the public and private sectors. Political parties and political professionals, however, have yet to become fully engaged with the implications for their industry and this blog aims to address that gap.
The arrival of GDPR will herald the dawn of the era of ‘privacy by design’. Under this new schema, maintaining the status of an opt-in to any public database will be considered a borrowed privilege to the administrator rather than an automatic entitlement it enjoys. In addition, those organizations outside the EU who are holding data on European citizens will need to hold the information on servers hosted in the EU and will have to work with a European partner to assist them with the process.
Among its provisions, GDPR will give data subjects wide-reaching control over the personal data held about them by third parties (including guaranteeing them the right to move data between providers), ensure that a request to erase held data must be honored, and enforce reporting requirements related to data breaches. The last requirement includes a stipulation that details of data breaches must be communicated within 72 hours from the time controllers learn of them.
What is GDPR?
- New data protection legislation coming in May 2018
- Affects anyone who holds identifiable personal data on an individual/voter
- Organizations and the individuals therein found to be in breach of the legislation are open to prosecutions of €20 million or 4% of annual global turnover
- From now on voters will be able to demand access to any data you hold on them and request it to be deleted or transferred to a third party
- If you wish to hold identifiable personal data or sensitive data about an individual you will need to gain clear consent from that individual to do so
Steps needed to become GDPR compliant
1. Do the research - What are your obligations? Do you understand the legislation? Have you spoken to head office (if relevant)? Have you engaged any outside counsel or help?
2. Assess your current databases - Are your existing voter databases fit for purpose? If voters are identifiable in your database, then you may need to gain consent from these people to continue to process them and communicate with them. Otherwise, you may need to anonymise the database, so individuals are not identifiable.
3. Communicate and train your chain - Create a map of everyone in your organization and understand who is accountable for what in relation to GDPR. Get training for everyone, your chain is only as strong as the weakest link, meaning any volunteers, interns or casual staff will need to be trained in line with your permanent team.
4. Review your systems and locations of data storage - Where do you keep data on voters, on desktop, cloud, excel, scraps of paper? Establish how you are going to capture this to be compliant with GDPR and ensure that if you must transfer personal data outside of the EU, one of the legally compliant transfer mechanisms is used.
5. Draw up your data retention policy – Document your retention policy and communicate it internally. The personal data of voters should generally be deleted once the purpose for which it was collected is completed.
6. Know how to deal with a subject access request - Have a standard process for dealing with requests from voters. What locations need to be checked for information and how is it to be packaged and sent to the requesting voter.
7. Appoint a data protection officer - You may be obliged to appoint an official DPO, but every organization should appoint someone, however informally to be the GDPR champion in ensuring compliance.
8. Understand the ‘legal basis’ for processing data – all processing of personal data must have a legal basis. There are many ways that personal data can be processed legally by an organization and these are outlined in the GDPR. If the consent of the data subject is your legal basis for processing then this must be explicit, informed and freely given by the data subject.
9. Partner with a data processor who gets it! - If you are providing personal data to third party service providers do your due diligence. Ensure your data processors understand the GDPR and have appropriate documentation and systems to back this up. Dig under the covers and satisfy yourself that all is in order. If your data processor is not compliant with GDPR then you will be non-compliant!
10. Build protocols around gaining consent - Figure out a credible, repeatable way of gaining clear consent from voters. This is likely to be a digital signature of some description. Understand what your options are here.
11. Establish your speed of response to data breach reporting - If you do suffer a data breach you will be obliged to report this to your local supervisory authority within 72 hours of discovering it. How do you plan on doing this and how can it be done if it is a weekend or your DPO is away from the office for example?
12. Have your go-to organizations and consultants to ensure compliance - Build a team of legal counsel or data protection specialists around you as necessary. You will need them when planning for May 2018 and in the event of an incident subsequently.
How a GDPR software system can help you achieve compliance
- Outsource the secure data processing of your voter data to a data processor
- Focus on your data controller obligations and staff training
- Import and clean your voter data to ensure compliance
- Have an easy system for handling access requests that take less than 30 minutes
- Have an easy system for managing a full data audit
- Have a method of capturing consent from voters for ongoing communication
- Have a secure method of administrative access for staff
The very best of luck with your journey towards compliance with the legislation and if we can be of any assistance to you in this please do not hesitate to get in touch with us.