GDPR and AI: Salvation or Damnation?
Recently, I spoke at the EuroPCom conference for communications professionals in Brussels. The theme of the conference was Campaigning for Europe and was fitting with the European elections coming up in May 2019. As EuroPCom said in its briefing:
With the 2019 European Parliament elections ahead and distrust in the EU still dominating national discourse and elections in the Member States, fostering democratic engagement and advocating the European project seem to be decisive in 2018 for ensuring the future of the EU. Under the headline Campaigning for Europe, the 9th edition of EuroPCom will thus provide communicators with a unique connecting platform in preparation for the election year ahead.
There were interesting submissions from European Commission professionals on communication strategies. Academics put forward research on a range of topics from social media management, to setting up troll-farms to democracy itself. And finally, practicioners like ourselves spoke about the work we are doing delivering communications tools to political parties that allow them to speak directly to local voters.
From my own perspective I was happy to talk on a panel about our work and how it relates to the broader political and technological landscape. The topic under discussion was GDPR and AI: Salvation or Damnation? My co-panellists included Paul Niemitz, the Principal Advisor to the Directorate-General for Justice and Consumers, Natalija Bitiukova, a data-protection consultant from the Human Rights Monitoring Institute, and Giuseppe Porcaro, the Head of Communications at the Bruegel Institute in Brussels.
You can find a link to my presentation slides here. In my presentation I addressed how we at Ecanvasser, as practicioners who work directly with political parties, view the understanding of the topic and how it is practically applied in political practice. There were a number of questions that occured to me when considering this topic.
- How do political parties use AI?
- How are parties responding to GDPR?
- What does a post-GDPR political practice look like?
- What type of intelligence is needed in 2019?
Political parties and AI
Firstly, in looking at how political parties are using AI, I think it is worth noting that parties do not use AI to any great extent more than, say, a small to medium sized business. By that I mean, they engage in digital advertising on the likes of Facebook, Google and Twitter, albeit spending large sums of money around election times. Equally, they use some data science applications for understanding large data sets, products like Azure by Microsoft. This practice is not widespread and is usually confined to the larger parties. And finally, they are beginning to engage with AI applications like chatbots on websites that are being used to screen voter queries and deliver a quasi-personalised experience for people who are on the politician’s website.
How are parties responding to GDPR?
The short answer to this question is that parties are not fully taking on their responsibilities under GDPR. It is one thing for a party to say that head office has done its due dilligence and produces systems and guidelines for data protection compliance. It is altogether another thing to say that the entire root and branch organisation is compliant and trained in GDPR. What we have seen at the recent Conservative Party conference in the UK is that parties can be cruelly exposed when they haven’t tested and retested their systems. In that case, a conference app with personal details of senior politicians and attending journalists was breached and informationed leaked into the public domain almost as quickly as the app had been released. The reputational damage from breaches like this is significant and raises the question, if they cannot safeguard the details of a small group of their senior polticians, then what hope do they have in managing voter data?
Some key points for parties to consider include:
How precarious a position are you in in relation to personally identifiable data that your organisation may hold? This includes down to grassroots level and into storage areas like paper records, desktops files, and email histories?
Has your party membership been sufficiently trained on the 6 core principles of GDPR that include transparency, minimization, retention, security, accuracy and usage limits?
Do you understand the limits of ‘public interest’ as a legal basis for processing personally identifiable data? When does public interest apply (in the run-up to an election, when serving constituents) and when do you need to use ‘consent’ as the legal basis for holding data?
Do you have a clear picture of how to campaign under GDPR restrictions? How do you communicate with voters and keep their data safe at the same time?
Post-GDPR political practice
When we talk to parties about how to do voter outreach campaigning now in Europe, they are often surprised by the restrictions on them in terms of how they handle data. The realisation comes slowly that handling voter data is similar in many ways to handling money. It needs to be stored carefully, only taken when necessary, and the person must have access to it at all times. It is theirs. You are just keeping it for them. With this in mind, here are a few things that we have instituted in order to help parties be compliant.
A privacy dashboard is like a Settings page for data protection. Here is where an organisation can set out the specific reasons it is capturing each individual data point. They can also outline the explicit wording required for their ‘consent capture’ tickboxes.
A chain is only as strong as its weakest link and if everyone isn’t working off the same system and received the correct training in data protection, the organisation runs a real risk of having someone (even a volunteer) compromise data protection guidelines.
When talking to someone face-to-face it is important to have a way to capture consent from them to continue to contact them. This is done with a series of checkboxes on a mobile device followed by an e-signature screen to ensure data compliance. In an online setting, consent can be given on a screen and followed up with a confirmation email that is required to complete the process, this is known as a ‘double opt-in’.
When an election ends and the legal basis of ‘public interest’ for holding voter’s data disappears then it is critical to have a way to anonymise the voter database without losing all of the insights and intelligence that have been gathered. Using a data anonymisation tool you can package and aggregate voter insights by area so that you retain the high level information while deleting voter’s details.
A hospital in Portugal was fine €400,000 recently because patient records were available to over 900 administrators when only about 200 of those people had any need to have access. Setting out permission levels for different people in the organisation from volunteer all the way up to data controller will ensure that information is seen on a need-to-know basis. Activity records should also be kept to see which administrators did what in the system including data exports, deletions and so on.
Finally, the ability to talk to voters and capture information from them in the form of survey responses or ratings is necessary to protect organisations who want to get voter feedback but don’t want to capture any personal information.
What intelligence is needed in 2019?
Artificial intelligence is growing but political parties should focus on the human intelligence that they can build into their processes for 2019. By human intelligence I mean that political organisations are large and complex, and by connecting all of those people and the understanding they have of their local area, an organisation can become intelligent. For 2019 the largest deficit that we can see in how parties operate is exactly this. Solving this problem with technology and connected systems will allow database quality to improve, insights to become clear, and decision making more structured and credible.
The New York Times recently released a survey of Congressional politicians and their legislative teams to see how well they understood voter sentiment in their constituencies on key issues. It found a staggering dislocation between the views of both parties. Equally, if the EU is to be successful it has to solve this problem and GDPR might be the impetus to drive this change and help parties to connect grassroots to head office.
Politicians have the unenviable task of having to understand voters in their totality and then develop legislation taking into account wider concerns like fairness, national interest, and so on. The more human intelligence involved in this stewardship the better.
If you have any questions or would like to discuss these topics with us, just reach out in the chat box below.
Image Copyright © European Union / Aude Vanlathem
Running A Campaign This Year?