Theyâre the four letters that have plagued everyoneâs email inboxes for weeks.
GDPR, the General Data Protection Regulation, came into force on Friday to give the public more rights over how their personal information is used and stored.
For millions, the past few weeks have been both a blessing and a curse.
A blessing because many people have discovered just how many email subscriber lists they will no longer be signed up to.
A curse in that it has taken a blizzard of messages â âHere at XYZ Corp, we really value your privacy...â - to get to this point.
But for the UKâs political parties, the temporary headache of clogged inboxes is nothing compared to the months of organisational migraines that GDPR has generated.
Ranks of lawyers, expensive data consultants and huge internal staff teams have been marshalled amid fears that the fines for non-compliance with the law â 4% of âturnoverâ or 20 million euros â could cripple their elections and campaigning plans.
With data wars as important to winning votes as the old billboard and party broadcast tactics, the stakes are high. Companies may be worried about losing customers to the changes, but some politicians are even more anxious about losing potential voters.
As the biggest political party in Europe, with more than half a million members, Labour has more to lose than most if their data is not properly protected.
But the party has some seven million people on its overall database too, including those who are not members but have expressed support or interest in its campaigns in the past.
Itâs no wonder that days before the GDPR changes, Labour even invoked Jeremy Corbynâs own birthday to ask people to give their âre-permissionâ or explicit âconsentâ to receive emails and campaign information.
On the eve of the big deadline, the tone was even more urgent from Labour as it declared âtodayâs the final dayâ in a missive titled âThe Last Emailâ.
The anxiety stems from the fact that, despite social media and other tools grabbing more attention, email remains a great way for parties to spread a message, raise funds and organise on the ground.
One Labour insider explains why it matters. âYou donât have to re-consent everybody thatâs absolute nonsense. But you do have to be able to prove that you do have that consent and when they consented. The big problem is they may have got consent at some point but they havenât kept a record,â they said.
Labour, like all the parties, has a statutory right to names and addresses on the electoral register. But its market team has a wider marketing list of email addresses which has been built up over years. The older data may not have explicit consent and needs it now.
âOur database is seven million, I think we will lose a couple of million off that,â one senior insider reveals. âBut I think thatâs actually a good thing. Whatâs the point having two million people who arenât interested in what you want to send them?â
The partyâs techniques to secure compliance with the law are not always as straightforward as all those begging emails, however.
One of Ed Milibandâs big successes in his otherwise underwhelming election campaign in 2015 was the âNHS Babyâ website.
In return for a personal email address and date of birth, the site offered the public a chance to find out which number baby they were out of 44 million babies born since 1948. It turned into the most clicked-on campaign in Labour history.
The party decided to re-run the campaign a couple of weeks ago, and again it was successful in being shared on Facebook. But there was a difference this time â the party had made it GDPR-compliant, including consents not included in 2015.
âThe only reason we are running it again now is so that everyone who clicked on it is reconsenting because the wording is all properly there,â a party source confessed. âItâs just a massive reconsenting operation disguised as a successful campaign. Itâs all legal, itâs just about getting those people to click.â
Yet one GDPR expert for the party stressed that email consents were in fact just âa small partâ of the work that had been done. âThatâs the headline-grabbing bit, but the bigger stuff is things like looking at all the companies we work with, like those who print our posters and our material.
âIf we send a direct mailshot to a printer, we are giving them huge amounts of data and we have to make sure safeguards are in place.â
As a result, the party has been devoting lots of time and effort to things called Privacy Impact Assessments, conducted every time it transferred databases within the party or to a contractor.
âWe identified well over a hundred different organisations that use our data for various different reasons, itâs about making sure contracts are in place with them. Itâs a huge job and itâs taken well over a year.
âNo organisation will be fully ready for GDPR on the 25. But the important thing is to prove youâve not been negligent and have a plan. If, say, we havenât provided locked cupboards in our Yorkshire office for documents to be stored, we have to show we have a plan to buy cupboards and to deliver them on a certain date.â
Labour has been using a firm of specialists called Evolve North, based in Newcastle, which includes a team of lawyers.
Yet although outside experts are not cheap, the real cost is in staff time and resources. Across the country, 16 party staff were working on GDPR, covering everything from computer server security to contractual language.
It also appointed a full-time data protection officer and Andrew Whyte, a former Electoral Commission official, was taken on as head of external governance.
GDPR was a âredâ item on Labourâs internal Risk Register because it was classified as âthe most severeâ risk facing the party. âAny organisation would be stupid not to treat it like that. Thatâs just good governance,â a source said.
A Labour spokesperson said: âThe Labour Party takes the management of peopleâs personal data extremely seriously. The General Data Protection Regulation is an important new piece of European law which Labour MEPs helped design, and we have been preparing for this for some time.
âObviously itâs a huge piece of new legislation, thereâs lots of new requirements, and Labour has been working hard towards compliance across the organisation for a long time. Through the work weâve undertaken and the training weâre delivering, we are demonstrating a clear commitment to the new data protection framework brought in by GDPR and the new Data Protection Act.â
Of course, Corbyn relies not just on Labour but on the grassroots group Momentum to campaign for him and his policies. Have they been as diligent as the party in preparing for GDPR?
Momentum chiefs say they have, and say that âre-consentâ emails have been sent to their 40,000 plus members. Some question whether the group has the expertise to cope with the technicalities of the law. âThe bigger problem for them is the Labour party rulebook acts as a contract between it and its members,â one party source says. âDoes Momentum have such a strong contractual relationship? It depends how their terms and conditions are set out.â
But a Momentum spokesperson insisted the appropriate groundwork had been done. âOver the past few months Momentum has made extensive efforts to ensure the organisation is GDPR compliant. We have consulted with experts in the field who have reviewed our policies and methods of data retention, and we are confident that Momentum is operating within the new regulations.
âMomentumâs extensive preparation means becoming GDPR compliant will have a negligible impact on our campaigning abilities, and we welcome the regulation as a positive advance for the data rights of European citizens.â
Smaller parties, with nowhere near as much cash as the big two, have their own priorities on GDPR. The Liberal Democrats, who have had GDPR Project Manager Sanjay Samani in post since last October, have followed Labourâs lead in sending out re-consenting emails.
The party hired data specialists Gemserv and lawyers Simons Muirhead and Burton to work on its preparations. âThe main thing weâve noticed is that companies have just ratcheted up the cost of services that they say now have to be âGDPR compliantâ,â one Lib Dem source said. âThatâs the biggest impact for us.â
With lots of money to be potentially made, and some âadvisersâ seen as âsnake oil salesmenâ by politicians, some experts in the field believe that many commercial firms have been panicked into sending out unnecessary âre-consentingâ emails.
Thatâs why some companies, and parties, prefer not to ask for fresh permission but simply to send an email pointing to a privacy policy that is GDPR-compliant.
Emails promoting political parties are classed as a direct marketing email by the Information Commissioner.
Jon Baines, Data Protection Advisor at Mishcon de Reya, points out that such emails are governed primarily not by GDPR, or the Data Protection Act, but by the rather more obscure Privacy and Electronic Communications (EC Directive) Regulations 2003 [PECR].
These mean that a political party cannot send a direct marketing email to an âindividual subscriberâ - someone using a private email address, as opposed to a work one - unless the recipient has given consent.
This has been the law since 2003, and the Information Commissioner has previously take action (as far back as 2006, against the Scottish National Party) against parties for breaching the rules, Baines says.
âAlthough GDPR slightly alters what is meant by âconsentâ, in a lot of cases these emails are unnecessary â if a political party has got the recipientâs consent already, they shouldnât need to ask for it again,â Baines adds.
But thereâs a twist. âIf they donât have the recipientâs consent, the sending of an email asking for consent is in itself a direct marketing email. In the past, the Information Commissioner has fined organisations for sending emails seeking consent to marketing to people who hadnât already consented.â
Japanese car firm Honda ran into trouble on this last year. An ICO investigation into Honda Motor Europe Ltd revealed the car company had sent 289,790 emails aiming to clarify certain customersâ choices for receiving marketing.
The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldnât provide evidence that the customers had ever given consent to receive this type of email, which is a breach of PECR.
Baines concludes: âIn more general terms, GDPR does not change the fundamental principles of data protection law: that personal data should be handled fairly, transparently and securely, and that it should be accurate, adequate and not held for longer than is necessary.â
Craig Elder, the mastermind behind the Tory digital strategy that delivered David Cameronâs 2015 election victory, now runs the digital consultancy Edmonds Elder. He singles out email as the key area that parties ought to focus on.
âWhat would concern me most if I was still working at a political party now would be their email list.
âIn the 2015 election we [The Conservatives] had around 1.5 million email addresses, which had been built up over many years from a variety of sources. From what I saw of their work from the other side, Labour will likely be much the same.
âSo Iâd say the main concern for the big political parties, with these hefty email lists, would be how are they going to be able to go on using them?â
But while Labour and the Lib Dems have been busy sending out emails asking for consent, the Conservatives have not.
One Tory, who did not want to go on record, said that the Conservatives decision not to send re-permissioning emails âmakes me think they must think they are exemptâ.
âThey are conspicuous by their absence in terms of sending out GDPR re-permissioning emails.
âIâve got GDPR emails from everybody else, from the makers of my car through to my energy supplier, Amazon, Facebook, everybody Iâve had some kind of online transaction with. The party isnât doing that and there has to be a reason why.â
The Tories finally issued their own, single GDPR email alert on Thursday night just hours before the deadline. The tone was markedly different from Labourâs.
A Conservative spokesman said: âWe are GDPR compliant, publishing an updated privacy notice and sending a message to all our current subscribers about that.â
A party source confirmed to HuffPost UK that unlike many organisations it felt it already had the correct permissions, and so would not be seeking fresh consent. Its emails always offer a way to unsubscribe too.
Elder says that a lot of organisations âare going to be just fineâ because they know exactly where every email on their list came from, and can be confident the subscriber has given consent for ongoing communications.
âBut there are also others who will be less sure. And when theyâre asked by their compliance team âcan you absolutely guarantee where you got this email from, when it was added to your list and that youâve definitely got consent?â theyâll be giving a vague answer, which will almost always lead to a lawyer saying youâll need to re-permission huge chunks of, if not the whole list.â
Thereâs another area of debate on GDPR and political parties: just what impact the new rules will have on their use of external data sources like Facebook and marketing firm Experian, which can work out detailed shopping preferences of individuals.
âWe will at times have got versions of the electoral register and have added to that all the analytics and profiles we have on you, with Mosaic consumer data too,â a Labour source says.
âIf youâd asked me a few months ago if this was a problem, Iâd have said no,â said one Tory expert, who preferred not to be named. âBut now, it looks to me like Facebook didnât fully consider the impact of the legislation because they quite hurriedly and unexpectedly turned off some of their options.â
On the whole, however, few in the political parties fear that GDPR will adversely affect their targeting and marketing data strategies.
What they are waiting for in June is the report due from the Information Commissionerâs investigation into data analytics for political purposes.
Opened in 2017, the complex and far-reaching investigation involves more than 30 organisations including political parties and campaigns, data companies â such as AggregateIQ - and social media platforms.
Although UKIP and some others have refused to take part in the investigation, the bigger parties have spent time with lawyers in providing information. Dubbed âOperation Cederbergâ, the probe has seen staff from the main parties subjected to taped, three-hour interviews on their data compliance.
In a statement, the Information Commissionerâs Office (ICO) merely said that âthe guidance on our website covers all organisations, including political partiesâ. But the watchdog has given updated advice on political campaigning in recent months.
Yet even after the deadline of Friday May 25 is finally passed, the political partiesâ worries about data usage may only just be starting.
The issue that terrifies many of them is the way GDPR makes it much easier for individuals to submit âSubject Access Requestsâ to parties.
Under the law, people can demand a company tells them every bit of data it holds on their name. At present a ÂŁ10 fee is charged and the wait period is 40 days. But GDPR scraps the fee and cuts the wait time to 30 days.
One party data expert says the consequences are worrying. âMy biggest fear frankly is post the 25, when the ÂŁ10 fee for Subject Access Requests (SAR) is gone, is we may see a whole load of people basically weaponising GDPR in order to make malicious access requests.â
It can take weeks of work to compile such data, because of the need to laboriously remove and redact the private details of other people in receipt of the data.
Labour in particular is worried. It has unhappy memories of when Tory peer Lord Ashcroft submitted requests about his own data just before the 2010 general election. Whole teams of Labour staff had to compile a vast data release at the time.
And for all the sang-froid of their own refusal to panic over the email issue, some Tories too are much more worried about the threat of damaging access requests.
âIâm really worried political parties are going to face a weaponised use of that by campaigners and activists,â one party expert says. âIf you want to screw a political party, get 100 people to send in an SAR on the same day.â
So while those emails may stop, GDPR wonât. And neither may the panic it engenders in our political parties.