They’re the four letters that have plagued everyone’s email inboxes for weeks.
GDPR, the General Data Protection Regulation, came into force on Friday to give the public more rights over how their personal information is used and stored.
For millions, the past few weeks have been both a blessing and a curse.
A blessing because many people have discovered just how many email subscriber lists they will no longer be signed up to.
A curse in that it has taken a blizzard of messages – ‘Here at XYZ Corp, we really value your privacy...’ - to get to this point.
But for the UK’s political parties, the temporary headache of clogged inboxes is nothing compared to the months of organisational migraines that GDPR has generated.
Ranks of lawyers, expensive data consultants and huge internal staff teams have been marshalled amid fears that the fines for non-compliance with the law – 4% of ‘turnover’ or 20 million euros – could cripple their elections and campaigning plans.
With data wars as important to winning votes as the old billboard and party broadcast tactics, the stakes are high. Companies may be worried about losing customers to the changes, but some politicians are even more anxious about losing potential voters.
As the biggest political party in Europe, with more than half a million members, Labour has more to lose than most if their data is not properly protected.
But the party has some seven million people on its overall database too, including those who are not members but have expressed support or interest in its campaigns in the past.
It’s no wonder that days before the GDPR changes, Labour even invoked Jeremy Corbyn’s own birthday to ask people to give their ‘re-permission’ or explicit ‘consent’ to receive emails and campaign information.
On the eve of the big deadline, the tone was even more urgent from Labour as it declared ‘today’s the final day’ in a missive titled ‘The Last Email’.
The anxiety stems from the fact that, despite social media and other tools grabbing more attention, email remains a great way for parties to spread a message, raise funds and organise on the ground.
One Labour insider explains why it matters. “You don’t have to re-consent everybody that’s absolute nonsense. But you do have to be able to prove that you do have that consent and when they consented. The big problem is they may have got consent at some point but they haven’t kept a record,” they said.
Labour, like all the parties, has a statutory right to names and addresses on the electoral register. But its market team has a wider marketing list of email addresses which has been built up over years. The older data may not have explicit consent and needs it now.
“Our database is seven million, I think we will lose a couple of million off that,” one senior insider reveals. “But I think that’s actually a good thing. What’s the point having two million people who aren’t interested in what you want to send them?”
The party’s techniques to secure compliance with the law are not always as straightforward as all those begging emails, however.
One of Ed Miliband’s big successes in his otherwise underwhelming election campaign in 2015 was the ‘NHS Baby’ website.
In return for a personal email address and date of birth, the site offered the public a chance to find out which number baby they were out of 44 million babies born since 1948. It turned into the most clicked-on campaign in Labour history.
The party decided to re-run the campaign a couple of weeks ago, and again it was successful in being shared on Facebook. But there was a difference this time – the party had made it GDPR-compliant, including consents not included in 2015.
“The only reason we are running it again now is so that everyone who clicked on it is reconsenting because the wording is all properly there,” a party source confessed. “It’s just a massive reconsenting operation disguised as a successful campaign. It’s all legal, it’s just about getting those people to click.”
Yet one GDPR expert for the party stressed that email consents were in fact just “a small part” of the work that had been done. “That’s the headline-grabbing bit, but the bigger stuff is things like looking at all the companies we work with, like those who print our posters and our material.
“If we send a direct mailshot to a printer, we are giving them huge amounts of data and we have to make sure safeguards are in place.”
As a result, the party has been devoting lots of time and effort to things called Privacy Impact Assessments, conducted every time it transferred databases within the party or to a contractor.
“We identified well over a hundred different organisations that use our data for various different reasons, it’s about making sure contracts are in place with them. It’s a huge job and it’s taken well over a year.
“No organisation will be fully ready for GDPR on the 25. But the important thing is to prove you’ve not been negligent and have a plan. If, say, we haven’t provided locked cupboards in our Yorkshire office for documents to be stored, we have to show we have a plan to buy cupboards and to deliver them on a certain date.”
Labour has been using a firm of specialists called Evolve North, based in Newcastle, which includes a team of lawyers.
Yet although outside experts are not cheap, the real cost is in staff time and resources. Across the country, 16 party staff were working on GDPR, covering everything from computer server security to contractual language.
It also appointed a full-time data protection officer and Andrew Whyte, a former Electoral Commission official, was taken on as head of external governance.
GDPR was a ‘red’ item on Labour’s internal Risk Register because it was classified as “the most severe” risk facing the party. “Any organisation would be stupid not to treat it like that. That’s just good governance,” a source said.
A Labour spokesperson said: “The Labour Party takes the management of people’s personal data extremely seriously. The General Data Protection Regulation is an important new piece of European law which Labour MEPs helped design, and we have been preparing for this for some time.
“Obviously it’s a huge piece of new legislation, there’s lots of new requirements, and Labour has been working hard towards compliance across the organisation for a long time. Through the work we’ve undertaken and the training we’re delivering, we are demonstrating a clear commitment to the new data protection framework brought in by GDPR and the new Data Protection Act.”
Of course, Corbyn relies not just on Labour but on the grassroots group Momentum to campaign for him and his policies. Have they been as diligent as the party in preparing for GDPR?
Momentum chiefs say they have, and say that ‘re-consent’ emails have been sent to their 40,000 plus members. Some question whether the group has the expertise to cope with the technicalities of the law. “The bigger problem for them is the Labour party rulebook acts as a contract between it and its members,” one party source says. “Does Momentum have such a strong contractual relationship? It depends how their terms and conditions are set out.”
But a Momentum spokesperson insisted the appropriate groundwork had been done. “Over the past few months Momentum has made extensive efforts to ensure the organisation is GDPR compliant. We have consulted with experts in the field who have reviewed our policies and methods of data retention, and we are confident that Momentum is operating within the new regulations.
“Momentum’s extensive preparation means becoming GDPR compliant will have a negligible impact on our campaigning abilities, and we welcome the regulation as a positive advance for the data rights of European citizens.”
Smaller parties, with nowhere near as much cash as the big two, have their own priorities on GDPR. The Liberal Democrats, who have had GDPR Project Manager Sanjay Samani in post since last October, have followed Labour’s lead in sending out re-consenting emails.
The party hired data specialists Gemserv and lawyers Simons Muirhead and Burton to work on its preparations. “The main thing we’ve noticed is that companies have just ratcheted up the cost of services that they say now have to be ‘GDPR compliant’,” one Lib Dem source said. “That’s the biggest impact for us.”
With lots of money to be potentially made, and some ‘advisers’ seen as ‘snake oil salesmen’ by politicians, some experts in the field believe that many commercial firms have been panicked into sending out unnecessary ‘re-consenting’ emails.
That’s why some companies, and parties, prefer not to ask for fresh permission but simply to send an email pointing to a privacy policy that is GDPR-compliant.
Emails promoting political parties are classed as a direct marketing email by the Information Commissioner.
Jon Baines, Data Protection Advisor at Mishcon de Reya, points out that such emails are governed primarily not by GDPR, or the Data Protection Act, but by the rather more obscure Privacy and Electronic Communications (EC Directive) Regulations 2003 [PECR].
These mean that a political party cannot send a direct marketing email to an ‘individual subscriber’ - someone using a private email address, as opposed to a work one - unless the recipient has given consent.
This has been the law since 2003, and the Information Commissioner has previously take action (as far back as 2006, against the Scottish National Party) against parties for breaching the rules, Baines says.
“Although GDPR slightly alters what is meant by “consent”, in a lot of cases these emails are unnecessary – if a political party has got the recipient’s consent already, they shouldn’t need to ask for it again,” Baines adds.
But there’s a twist. “If they don’t have the recipient’s consent, the sending of an email asking for consent is in itself a direct marketing email. In the past, the Information Commissioner has fined organisations for sending emails seeking consent to marketing to people who hadn’t already consented.”
Japanese car firm Honda ran into trouble on this last year. An ICO investigation into Honda Motor Europe Ltd revealed the car company had sent 289,790 emails aiming to clarify certain customers’ choices for receiving marketing.
The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers had ever given consent to receive this type of email, which is a breach of PECR.
Baines concludes: “In more general terms, GDPR does not change the fundamental principles of data protection law: that personal data should be handled fairly, transparently and securely, and that it should be accurate, adequate and not held for longer than is necessary.”
Craig Elder, the mastermind behind the Tory digital strategy that delivered David Cameron’s 2015 election victory, now runs the digital consultancy Edmonds Elder. He singles out email as the key area that parties ought to focus on.
“What would concern me most if I was still working at a political party now would be their email list.
“In the 2015 election we [The Conservatives] had around 1.5 million email addresses, which had been built up over many years from a variety of sources. From what I saw of their work from the other side, Labour will likely be much the same.
“So I’d say the main concern for the big political parties, with these hefty email lists, would be how are they going to be able to go on using them?”
But while Labour and the Lib Dems have been busy sending out emails asking for consent, the Conservatives have not.
One Tory, who did not want to go on record, said that the Conservatives decision not to send re-permissioning emails “makes me think they must think they are exempt”.
“They are conspicuous by their absence in terms of sending out GDPR re-permissioning emails.
“I’ve got GDPR emails from everybody else, from the makers of my car through to my energy supplier, Amazon, Facebook, everybody I’ve had some kind of online transaction with. The party isn’t doing that and there has to be a reason why.”
The Tories finally issued their own, single GDPR email alert on Thursday night just hours before the deadline. The tone was markedly different from Labour’s.
A Conservative spokesman said: “We are GDPR compliant, publishing an updated privacy notice and sending a message to all our current subscribers about that.”
A party source confirmed to HuffPost UK that unlike many organisations it felt it already had the correct permissions, and so would not be seeking fresh consent. Its emails always offer a way to unsubscribe too.
Elder says that a lot of organisations “are going to be just fine” because they know exactly where every email on their list came from, and can be confident the subscriber has given consent for ongoing communications.
“But there are also others who will be less sure. And when they’re asked by their compliance team ‘can you absolutely guarantee where you got this email from, when it was added to your list and that you’ve definitely got consent?’ they’ll be giving a vague answer, which will almost always lead to a lawyer saying you’ll need to re-permission huge chunks of, if not the whole list.”
There’s another area of debate on GDPR and political parties: just what impact the new rules will have on their use of external data sources like Facebook and marketing firm Experian, which can work out detailed shopping preferences of individuals.
“We will at times have got versions of the electoral register and have added to that all the analytics and profiles we have on you, with Mosaic consumer data too,” a Labour source says.
“If you’d asked me a few months ago if this was a problem, I’d have said no,” said one Tory expert, who preferred not to be named. “But now, it looks to me like Facebook didn’t fully consider the impact of the legislation because they quite hurriedly and unexpectedly turned off some of their options.”
On the whole, however, few in the political parties fear that GDPR will adversely affect their targeting and marketing data strategies.
What they are waiting for in June is the report due from the Information Commissioner’s investigation into data analytics for political purposes.
Opened in 2017, the complex and far-reaching investigation involves more than 30 organisations including political parties and campaigns, data companies – such as AggregateIQ - and social media platforms.
Although UKIP and some others have refused to take part in the investigation, the bigger parties have spent time with lawyers in providing information. Dubbed ‘Operation Cederberg’, the probe has seen staff from the main parties subjected to taped, three-hour interviews on their data compliance.
In a statement, the Information Commissioner’s Office (ICO) merely said that “the guidance on our website covers all organisations, including political parties”. But the watchdog has given updated advice on political campaigning in recent months.
Yet even after the deadline of Friday May 25 is finally passed, the political parties’ worries about data usage may only just be starting.
The issue that terrifies many of them is the way GDPR makes it much easier for individuals to submit ‘Subject Access Requests’ to parties.
Under the law, people can demand a company tells them every bit of data it holds on their name. At present a £10 fee is charged and the wait period is 40 days. But GDPR scraps the fee and cuts the wait time to 30 days.
One party data expert says the consequences are worrying. “My biggest fear frankly is post the 25, when the £10 fee for Subject Access Requests (SAR) is gone, is we may see a whole load of people basically weaponising GDPR in order to make malicious access requests.”
It can take weeks of work to compile such data, because of the need to laboriously remove and redact the private details of other people in receipt of the data.
Labour in particular is worried. It has unhappy memories of when Tory peer Lord Ashcroft submitted requests about his own data just before the 2010 general election. Whole teams of Labour staff had to compile a vast data release at the time.
And for all the sang-froid of their own refusal to panic over the email issue, some Tories too are much more worried about the threat of damaging access requests.
“I’m really worried political parties are going to face a weaponised use of that by campaigners and activists,” one party expert says. “If you want to screw a political party, get 100 people to send in an SAR on the same day.”
So while those emails may stop, GDPR won’t. And neither may the panic it engenders in our political parties.