For most practical purposes regarding marketing, political parties are grouped and treated similarly to non-profit organisations. Most of the provisions apply to both.
A derogation has been made for processing of sensitive data. Since political affiliation is considered as a special category of personal data (along with trade union affiliation and religious beliefs, to name a few), political parties are allowed to process it as long as the data concerns their members only.
They, however, are not allowed to disclose this information to the general public as long as the individual themselves does not make this information known to the public, such as by posting on social media or appearing at a political rally. In that case, the information is considered to be ‘sufficiently’ public. Then it is no longer afforded the usual set of protections.
No Promotion During Surveying
Recital 56 of the GDPR deals with political surveying. It is allowed as long as the personal data is sufficiently anonymised. The processing is in this case based on the grounds of public interest. Other rules are the same as those that apply for market research. Direct marketing rules do not apply to those, but under no circumstances can your communications contain political promotional messages or be used to filter the potential supporters and bombard them with promotional material afterwards. Data should be anonymised or pseudonymised whenever possible; if not, you must notify the individual of that.
Political parties are subject to the same requirements and guidelines for processing. Their reporting standards and accountability should be the same as with regular companies. Hiring a data protection officer will therefore prove to be almost mandatory for all larger political parties, since they process so much (sensitive) information.
Data Security Is Crucial
Special attention should be given to data security. Political parties are high-profile targets, and they are considered more at risk from data breaches, cyberattacks, hacks and sabotage from within. Proper access policies and other technical and organisational measures can help curb that risk.
For example, Islington City council was fined GBP 70,000 by the UK regulator ICO for failure to keep personal information safe. Their online parking ticket viewer system had a security flaw that could result in personal information being exposed to unauthorised individuals. Up to 90,000 people were at risk from having their data accessed.
Under the GDPR, political parties are facing the same risk if their member data were to be insufficiently secure. However, they will face fines of up to EUR 10 million instead of the smaller sums that are levied today.
The most painful issue that political parties will face under the GDPR is the regulation of political marketing. The regulations will continue to be very tight for non-commercial organisations and political parties. The laws governing these practices have not yet been harmonised, but the general rules are the same.
Regular companies can generally contact their own customers with e-mail offers about their products – even without explicit permission. This is called the ‘soft opt-in’ principle. As long as they do not overdo it, they are not breaking the law. It is reasonably expected that a company will try to sell more product, however, they must stop sending promotional e-mails immediately when requested.
Unfortunately, this provision does not apply to charities and political parties. In the UK, they are not allowed to campaign in this way. Sending e-mails to previous donors is considered forbidden, unless explicit permission has been obtained. Germany has an exception for non-profits, but neither country allows for unrestrained political marketing.
Consent Is King
In other words, your political party will have to obtain consent from all individuals to whom you wish to send electronic communication – political marketing. However, this does not apply to company and business e-mail addresses. They are ‘fair game’, but you are still not allowed to spam. The same applies to SMS messaging.
In the UK, phone calls and post communication are allowed, unless the individual has explicitly asked the party not to contact them, or added their number to the ‘do-not-call’ registers. Posting of personalised letters without explicit opt-ins is not allowed.
In general, use of data analytics for political marketing purposes is not allowed, and several political parties in the UK are currently being investigated for this severe breach of regulations.
Callers are required to identify themselves immediately and cannot mislead the receiver. You must notify the individuals of their right to object to further communication and provide means to do it free of charge.
Most EU countries observe some form of election silence, where any marketing or discussion of political events and figures on the day of or before the elections is strictly forbidden.
Overall, the rules for political parties are comparable to those afforded to non-profits. This includes a rather strict marketing policy that requires consent in most cases.
Parties should also invest in data security; not only for the sake of the GDPR, but for real, practical reasons. Besides, data breaches result in negative publicity that political parties desperately try to avoid. That is why we expect most of them to appoint or hire an external data protection officer to help them in this regard.