The Information Commissioner has sent out letters to the main political parties, reminding them that they must comply with data protection laws ahead of the forthcoming election on December 12.
There’s no doubt that the ICO is very strict about the use of data in political campaigning.
The letter read: “A dedicated election hub for parties and campaigns has also been created on the ICO website, along with an updated ‘Be Data Aware’ campaign for the public telling them their rights when their personal information is used for political purposes.
“Following the announcement of a General Election on 12 December, I am writing to remind you of the continuing need to comply with data protection and electronic marketing laws.
“People’s awareness of their data protection rights has never been greater, and their expectations that those rights are respected never higher. Compliance with these laws is vital to the trust and confidence in the democratic system.”
It’s really not that surprising that the ICO went to the trouble of sending out reminders – considering the furore surrounding the Cambridge Analytica scandal.
This was the major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes.
Aside from the practical problems in remaining GDPR compliant during an election, what about data protection after the election.
The UK population will be going to the polls next month because of disagreements in the House of Commons about Brexit.
Many people think it’s an election based solely on the issue of Brexit.
The Labour party has complained to Ofcom about Sky News branding its coverage of December’s poll as “the Brexit Election”.
The party told the broadcasting watchdog the description “gives undue and unfair weight to the Conservative party’s political agenda”, pointing out that the Tories are using the word in their “Get Brexit Done” campaign slogan.
Data can flow freely across the EU as long as companies conform to its tough GDPR there should be no real change after Brexit – as long as there is a deal.
It’s likely that there will be a transition period during which the GDPR will continue to apply. However, at the end of that transition period, the default position would nonetheless be the same as for a no-deal Brexit, although the transition period will allow for key issues to be dealt with and further guidance to be published.
But if there is no deal, GB will be treated as an external country, needing what is called an adequacy ruling showing our data protection standards are adequate – and the European Commission has indicated that this would not happen anytime soon.
If you do receive data, such as lists of names and addresses of customers from a company in the EU or the wider European Economic Area then you will need to take action.
Advice to organisations include reviewing contracts and, where absent, include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.
A no-deal Brexit could also hit internal transfers, such as those which may take place in a company that employs staff across Europe but runs human resources from a shared service centre in the UK.
The future post-election is by no means certain but companies need to make sure they know what is happening and not get caught out. The message is clear: Don’t get caught out post-election – be Brexit ready.