Changes to data protection rules as a result of GDPR
This page explains our understanding of how changes to the data protection requirements affect our interaction with the data provided to us, as well as suggest ways that you may wish to address your own obligations.
This is not intended to be an exhaustive list of the GDPR’s impact on our processes or the processes of those we regulate, and encompasses only personal data that is collected in connection with political finance. Comprehensive advice can be obtained from the Information Commissioner’s Office.
What is the GDPR?
The General Data Protection Regulation (GDPR) came into force in the United Kingdom on 25 May 2018, replacing the Data Protection Act 1998. There is also a Data Protection Bill currently being considered by Parliament which proposes further changes to the data protection regime.
The GDPR broadens data protection requirements and increases penalties for data breaches. Each organisation that collects and/or processes personal data is under an obligation to ensure that they are compliant with the GDPR.
The Electoral Commission has a statutory duty to process certain personal data that is provided to us by those we regulate, in order to ensure that the rules governing spending, donations and loans are complied with. ‘Personal data’ refers to any information relating to an identifiable living individual. ‘Those we regulate’ includes registered political parties, candidates, non-party campaigners and regulated donees. Under the GDPR, the Commission and those we regulate are considered data controllers.
You are required by statute to submit to the Commission complete and accurate statutory returns of financial information that are then required to be published. This information includes personal data you have collected. It will therefore be important for you to carefully consider your responsibilities as a data controller.
- Personal data is only permitted to be processed on one of six ‘lawful bases’. The most likely basis to apply to those we regulate is that processing is necessary to comply with a legal obligation.
- There is an accountability requirement which requires that you are able to demonstrate compliance with your obligations under the GDPR, such as ensuring that personal data is processed lawfully, fairly and in a transparent manner, and that you have in place appropriate technical and organisational measures to comply with the regulations.
- A controller may be required to perform a Data Protection Impact Assessment before processing personal data, which involves considering any risks inherent in processing.
- Data subjects have the right to obtain confirmation from a data controller as to whether their personal data is being processed and for what purpose. A controller must provide a copy of the personal data they hold when this is requested by a data subject.
- There is a mandatory requirement to report any high-risk data breaches to the Information Commissioner’s Office within 72 hours of the breach occurring.
- Financial penalties for breaches of the regulations have increased from a maximum of £500,000 to €20,000,000 or 4% of an organisation’s annual turnover.
- obtaining and publishing relevant data from those we regulate
- investigating cases where rules may have been breached
- responding to queries and Freedom of Information requests
Data provided to us is only used for the purposes for which it was provided and is accessible only to people with the correct authority to view it, in line with our regulatory functions.
In accordance with the GDPR’s move towards transparency in data processing, we have updated our processes to ensure that data subjects are able to access, address, and correct any data we hold about them when this is requested.
We are currently in the process of updating our guidance to take into account the change in law.
When you collect data you should ensure that the person who is the subject of the data is clearly informed as to matters including:
- how you intend to use their data
- how long it will be kept for
- what your lawful basis for collecting this data is
These matters should be expressed as part of a privacy notice that is made available at first point of contact.
You must ensure that you have a lawful basis to process the personal data that you gather.
All new activities will be legally required to incorporate privacy by design, by having data protection processes built into them. You should think about how to achieve this going forward, particularly in reference to projects such as election campaigns. You may need to undertake Data Protection Impact Assessments as part of this.
Some of the information that you collect will be deemed ‘special category’ under the GDPR. This is particularly relevant to information revealing political opinions and requires additional safeguards, details of which are available from the Information Commissioner’s Office.
You may not be required to appoint a designated Data Protection Officer, but it is a good idea to internally appoint someone who will be responsible for your compliance with the GDPR.
The Information Commissioner’s Office has published an extensive guide to the GDPR. They also operate telephone, email and online chat helplines.
You can contact us if you have further questions regarding the relationship between the GDPR, the Electoral Commission and those we regulate.