GDPR and political parties
The General Data Protection Regulation (GDPR) has been talked about a lot in recent times but the realisation of how it is affecting political parties and political campaigns is only now beginning to come into focus. The reality for the political industry is that holding voter databases much more precarious than it was in the past. As with most legislation that brings in sweeping change, there is a mindset shift that needs to take place post-implementation. Political parties are incurring large fines in the past 12 months that is beginning to change the way they operate and the systems they have in place. Of course, political party management software is the key in turning the tide on data protection failings by applying a more rigorous model for managing voter data.
Politicians are beginning that process of treating voter data, not as their own, but as something on loan to them from the citizen that needs to be held securely and dealt with in much the same way as if that citizen had given you their money. Principles of transparency, data minimization and the obligation to maintain records up-to-date, have implications that are only now sinking in. Any attempt to use recording methods like pen-and-paper to manage voter issues or capture information should be viewed as too risky from a data protection perspective.
The central problem for politicians seems to be around the issue of legal basis for holding personally identifiable voter data. In the run-up to an election politicians should be able to use the legal basis of “the public interest” to hold personally identifiable information about voters. Once they have that database they can then use it to reach out to those voters and to make judgements on how to frame and run their campaigns. However, when it is not election time, what is the legal basis for holding voter data? If the politician has not gained consent from a voter to hold their data then they will need to delete it or to anonymise it so that it is no longer personally identifiable. In other words, the new reality is that political parties cannot hold any information about the people they represent other than fully anonymised datasets. In the event that they have gained explicit consent from an individual to hold their data then the data can be held, or in the case of being an incumbent that is representing voters there is the case to be made of holding the data “in the public interest”. However, it is clear that a significant change has taken place.
Many political parties and politicians are struggling to visualise the new reality of post-GDPR political campaigning so we decided to put together a list of some processes and tools that can be used to respond to that reality and to gain advantage over rival parties. Let’s take a look.## Anonymous voter outreach Holding voter data that is anonymous does not carry the same obligations with it as holding personally identifiable data. If political parties are looking to understand what voters are thinking in a particular area or demographic then they can use anonymous voter canvassing tools to survey those voters in the community, for example, on the street or at public events. In this way, valuable voter insights can be gained to feed into voter targeting efforts without having to manage that data under the obligations of the GDPR. Ecanvasser GO has been designed to help parties and candidates to do this anonymous canvassing, thereby minimizing their compliance overhead while at the same time being able to capture valuable data and capture consent to contact signatures.
Grassroots network building
The central problem of what legal basis there is for holding voter data may lead parties to think that voter databases are simply too risky to maintain and anyway the ability to extract value from them is limited in the limited window of opportunity that an election campaign (and its legal basis of public interest) provides. For this reason, outside of election time, parties might find a better use of their resources would be to develop the grassroots network and infrastructure that is used by the party. In a country of, say, 100 constituencies, with multiple wards and precincts contained therein, what would be a target number of grassroots operatives within each of these areas. If a target of, say, 50 people, on the ground working with the party is set for each constituency, then the party can deploy its resources to making sure they have onboarded the 50X100, 5000 people that they will actually be relying on when the next election comes round. With this level of engaged and committed volunteers and staff members, there would then be a functioning grassroots infrastructure that would be of huge value both at election time and in the normal course of political operations.
If a person explicitly agrees to have their data held by a political party with a view to ongoing contact, being updated on party news, or for election campaign materials, then there is no issue with holding personally identifiable data with this as the legal basis. Parties should be working toward the goal of building their database of contacts on this basis from now on. With a large database of voters opting in to communication, a party would have a very valuable way to communicate with their core supporters. Election time is a great time to capture consent from voters but it can be done in the normal course also. Having the correct tools and processes to capture consent is important and it is critical to distinguish between the processes needed when doing this online or face-to-face. Online opt-in should make it very clear the type of communication that the voter will receive with a tick-box that is not auto-filled. Once the opt-in has been filled out the voter should receive an email to confirm their opt-in, this is known as a double opt-in and would be best practice. For face-to-face consent capture it should be done on a mobile device that connects to your party’s central database and would involve tick box opt-ins that state the type of communication that will be received along with an e-signature component to prove.
For campaigns that hold personally identifiable data on voters during the course of their election campaign it is legitimate to hold that information under the legal basis of “public interest”, provided that data is securely maintained. However, once election day is over, that legal basis no longer applies and, in this case, if the insights from the data captured is to be maintained, then the data would need to be anonymised. What this means is that the voter database is deleted and the information points collected are aggregated in area statistics. For example, if a constituency is canvassed and communicated with during an election campaign, all those voter records can be deleted, but you can retain statistics based on canvassing history, team activity, survey responses by area and demographic. These rich insights will form the basis of an understanding of the electorate in that constituency as a snapshot in time and will be hugely valuable in the future for understanding what areas are strongholds and which are weak, where your grassroots team are highly effective and where they might need help. Data anonymisation is a cleaning of data so that it remains useful without compromising the voters that have given it to you.
Permission level access
The practical experience of anyone who has worked with sensitive databases like election or voter databases is the problem of access. Who has access to it? What can they see in the data? Is it sensitive data? What changes can they make to individual records? What activity record is there among database administrators in terms of changes made? Can data be exported? Clearly establishing administrator access permission levels is a critical part of the GDPR puzzle and, if organisations are not using software systems that include permission levels for all staff and team members then they will need to explicitly define those parameters in an internal document. Campaign managers and political parties should be able to retrict access to databases and the ability to work on those databases only to those people for whom it is entirely necessary. It should also be possible to see an activity log of what changes, exports and so on have been made by administrators who do have database access. If your software provider doesn’t have this functionality then you should ask why not.
“Privacy by design” is a guiding principle for those people who are tasked with building systems that respond to GDPR. What it means is that the privacy of citizens is considered in every aspect of the system design. Software should have a privacy dashboard or settings page that clarifies why individual data points are being gathered and for what reason. Permission levels outlined above can be set-up or amended here, and it can become the place where an organisation is accountable for the data protection decisions that they make. Ensure you have some form of privacy dashboard or log of why data points are being gathered so that you can respond to a data audit if it happens.
We hope this list might provide you with some ideas on how to proceed with your GDPR planning and implementation. If you want to talk to us about any of the issues raised here, please don’t hesitate to get in touch.