UK Political Parties Must Improve Data Protection Practices, ICO Warns

The ICO’s audit of major political parties in the UK has revealed significant failings and lack of compliance with data protection rules. After concerns were raised in 2018, the audit was launched to shed light on how political parties in the UK handle voter’s information.

The political parties audited for the report include the Conservative party, the Labour Party, Liberal Democrats, the Scottish National Party (SNP), Plaid Cymru, United Kingdom Independence Party (UKIP) and the Democratic Unionist Party (DUP).

Key failings

The ability for political campaigns to send targeted messages to different audiences has proved instrumental over the years. In 2008, the Obama campaign changed the landscape of how social media and micro-targeting was used to influence elections. By 2016 during Trump’s election the use of social media to target specific voting groups would prove crucial.

However, scandals such as Cambridge Analytica has shown a lack of transparency and accountability for intrusive data profiling. In early 2018, it was revealed that Cambridge Analytica harvested the personal data of 87 million Facebook users without their consent for political advertising. Following an investigation in the UK, Facebook agreed to pay a £500,000 fine to the ICO for not doing enough to protect people’s data.

A year later in 2019, the prospective prime minister’s ‘Back Boris’ campaign team was accused of breaching GDPR through its campaign activities. More recently, the Labour Party also faced an investigation over misuse of membership data during its leadership contest.

All of these examples point to a widespread issue globally and within the UK on how voter information is handled. In an environment filled with a lack of transparency, it’s safe to say most In most voters are unaware of how their personal data is used.

According to the ICO,

Developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used.

The ICO’s report highlights the following significant failings from political parties:

1. Use of privacy notice that doesn’t meet the required levels of transparency.
2. Not all data is being processed on an appropriate lawful basis.
3. There is a lack of transparency on how data is being combined from different sources to profile voters.
4. Parties are not ensuring third party processors or data suppliers are complying with data regulation e.g. legally obtaining people’s data.

The ICO hasn’t taken enforcement action yet but has issued recommendations for all political parties to put in place.

At Kazient, we have experience working with global organisations to ensure their practices are compliant with data protection regulation. Our bespoke and comprehensive approach has made Kazient one of the most popular Data Protection Officer service providers in the world. Get in touch with us for a consultation on how we can help you become GDPR compliant

Based on the audit findings, the seven major political parties in the UK must:

1. Provide the public with clear information from the onset of how their data will be used.
2. Conduct a review to establish who personal data is shared with and for how long.
3. Inform people when intrusive profiling is used. For example, combining information from different sources to create a profile on voting characteristics and interests.
4. Be transparent on how personal data is used to target individuals on social media platforms.
5. Demonstrate how they meet data protection obligations by reviewing policies, procedures and contracts.
6. Carry out checks on third party suppliers and processors of personal data. Third-party vendors must meet the transparency and accountability standards of the data protection regulation.
7. Establish what personal data they hold and where it’s stored. Undertake an information audit/ data mapping exercise.
8. Document findings.

Further review will be carried out by the ICO later this year to monitor progress.

All political parties must use personal information in ways that are transparent, understood by people and lawful, if they are to retain the trust and confidence of the electorates. – Elizabeth Dunham

You can read the full report here.

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.

Mahmoudat Sanni-Oba

Mahmoudat Sanni-Oba is a Data Privacy Analyst for Kazient Privacy Experts. She earned a Bachelor's degree in Accounting and Finance from LSE in 2018 and has a keen interest in technology and data protection.