The General Data Protection Regulation (GDPR) implementation date has arrived. With so much discussion focused on the initial reactions to the Regulation’s introduction by major online services such as digital newspapers, relatively few have considered the behind-the-scenes work that political parties around the world are undertaking to ensure compliance.
Have you met your GDPR obligations as political parties?
For those holding privacy protection functions at political parties and still in the trenches of preparation efforts, this quick run-through should provide a general outline for what organizers need to do to make sure that they are compliant with the legislation’s provisions.
1. Privacy compliance dashboard
Whatever software you are using to plan your grassroots political outreach, it is vital that it includes a privacy compliance dashboard where administrators can gain a bird’s-eye view of critical privacy information, such as the identity of your party’s Data Protection Officer.
Ideally, this dashboard should also allow you to map the individual personal data fields with the legitimate, lawful purpose for processing that information. This will ensure compliance with Article 13 section 2 of the Regulation.
2. Subject access requests
Under GDPR, individuals have the right to see what information you hold about them. In response to a Subject Access Request (SAR), political parties will need to access all the information they hold on someone quickly. This means setting up a centralized database with search functionality. Systems in which voter information is stored in multiple locations and formats will be rendered untenable: SARs would simply take too long to respond to. Individuals also have the right to have their data updated or removed.
To stay compliant, make sure that your constituent management system includes all of these functionalities – and that your staff are properly trained on how to use its search functionality.
3. Data breaches
Data breaches will happen over time and it is important to be ready to deal with them. The majority of data breaches occur through human error, such as when passwords are broken or stolen through sloppy data governance.
The software you use to manage constituent information should enforce proper password hygiene, incorporating best practices such as forcing the use of strong passwords and requiring periodic password updates. Better still, insist on using a solution with Two Factor Authentication (2FA) – and ideally one in which the authentication token is delivered over an encrypted communications channel.
Password changes and data export activity logs are also important features that should be sought out. In the event of a data breach, you can request to see the login credentials that might be connected to the breach.
4. Establish a digital consent breadcrumb
When capturing a person’s consent while doing field work in the community, always obtain their electronic signature on a mobile device. This establishes clear consent and is equivalent to an online sign-up consent process, such as a sign-up form on the party website, or a membership sign-up form.
The consent statement also needs to be a clear and unambiguous message. Some example of consent categories that could be outlined for a political party would be:
- To be contacted regarding ongoing issue(s) which the individual has reported;
- To receive updates regarding this campaign for the duration of the campaign;
- To receive news updates regarding this candidate; and
- To receive information regarding volunteer events.
5. Field canvassing
Face-to-face canvassing can be done in the community to capture non-personally identifiable data on voters. Anonymized data from this canvassing work can then be used in both raw and aggregated formats to understand geographic and demographic groups better. This is an important point to be aware of for those seeking to use canvassing to establish demographic patterns not available from public sources in their electorate.
The GDPR sets down strict criteria for how long personally identifiable data can be held and data minimization is a core guiding principle. For political parties, this means that as soon as a constituent issue has been resolved, the data pertaining to it should be archived or deleted. Political parties must also ensure that they have drafted a formal data retention policy setting out the protocols to be followed in this respect. Training should be provided to ensure that system administrators are aware of its provisions.
7. Permission levels
All political databases should have granular permission and access control settings to ensure that only those that really require access to information stored are able to obtain it. Permission levels are a standard functionality in most software database systems or CRM systems.
8. Data minimization
With GDPR, you need to ensure the personal data that you capture is adequate, relevant and limited. You need to ensure that you are only storing the minimum amount of data required for your purpose. This concept is known as data minimization.
We recommend that you periodically review all fields being stored about voters in your voter management system and remove any fields that do not meet this requirement.
GDPR compliance is an ongoing process. Following the above guidelines should ensure that your political organization stays on the right side of the regulators.