At a glance
- Accountability is one of the most important data protection principles. It is not a one-off exercise. It means taking responsibility for complying and demonstrating compliance with the UK GDPR.
- Being accountable can help you to build and retain trust with voters and may help you mitigate enforcement action from the ICO.
- There are a number of ways to demonstrate accountability including embedding “data protection by design principles” from the outset of a product or service and undertaking Data Protection Impact Assessments (DPIA).
In more detail
- What does accountability mean in practice?
- What is data protection by design and default?
- What are data protection impact assessments (DPIAs)?
- When must we carry out DPIAs?
One of the most significant principles of the UK GDPR is accountability.
There are two key elements to this. First, the accountability principle makes it clear that you are responsible for complying with the UK GDPR. Second, you must be able to demonstrate your compliance.
Taking responsibility for what you do with personal data, and demonstrating the steps you have taken to protect people’s rights, not only results in better legal compliance but is a real opportunity for you to show, and prove, how you respect people’s privacy. This can help you to develop and sustain people’s trust and confidence, in turn helping to underline the legitimacy of your political messages.
Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. If you can’t show good data protection practices, it may leave you open to fines and reputational damage.
Accountability is not a box-ticking or one-off exercise. Being responsible for compliance with the UK GDPR means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply. To be effective you must sustain this over time and embed and maintain a data protection management programme. It also requires leadership from the top of your organisation.
You need to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individuals’ rights. This means you must consider data protection and privacy issues upfront in everything that you do. You should also report regularly at Board level and assess the effectiveness of your accountability programme.
There are a number of measures that you can, and in some cases must, take to comply with the accountability principle, including:
- adopt and implement data protection policies;
- put written contracts in place with contractors and data processors;
- maintain documentation of your processing activities;
- employ a data protection officer;
- train your staff and volunteers; and
- implement appropriate security measures.
See our Guide to UK GDPR for further information on these.
Some measures of particular importance to processing for political campaigning purposes are discussed in more detail below.
Data protection by design and default is an integral element of being accountable. It is about embedding data protection into everything you do, throughout all your processing operations.
You must put in place appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights.
There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. However, there are some key times when it is particularly important to consider this obligation, including when you are:
- implementing a new campaigning contact or membership database;
- starting a new significant campaign;
- changing methods or systems (eg changing from canvassing by paper to mobile applications);
- considering collecting or procuring new data sources and types of data; or
- considering the use of new advertising platforms.
The key is that you consider data protection issues from the start of any processing activity, and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.
Consider the differing approaches below.
Mr Matthews and Ms Ali both decide to campaign in their local town. Ms Ali is concerned that there aren’t enough car parking spaces in the town centre whereas Mr Matthews wants to see the number of car parking spaces reduced to encourage workers in the area to use public transport.
Both decide to send petitions to their local council. They collect names and addresses of individuals for this purpose. They both know they need to comply with the UK GDPR.
Mr Matthews decides to focus on the effectiveness of his campaign messages first and consider how he complies with UK GDPR as he goes along.
Ms Ali decides to take a ‘data protection by design and by default’ approach and fully considers the data protection principles, thinking carefully about her purposes and what individuals would reasonably expect.
A few months later, boosted by the popularity of their respective campaigns both Ms Ali and Mr Matthews decide to stand as independent candidates in their local election. They both want to send letters to the individuals who signed their petitions to encourage them to turn out and vote for them.
Mr Matthews finds that doing this would likely breach data protection law. The privacy information he provided on collection was inappropriate and his specified retention period has expired. He does not send the letters.
Ms Ali’s privacy by design and default approach means that she had considered the principles and data protection risks from the outset. She provided appropriate privacy information, specified her purposes included direct marketing and communicated an appropriate retention period based on what was necessary for her purposes. She decides to send the letters. This is likely to comply with data protection law and gives a boost to her campaign.
Carrying out Data Protection Impact Assessments (DPIAs) is another important way to comply with the accountability principle.
A DPIA helps you to systematically and comprehensively analyse your processing and identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material. This is an important factor to consider in political campaigning.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.
DPIAs are a legal requirement for processing that is likely to be high risk. This means you need to assess your risk when deciding to carry out any new processing. If the risk from the processing is likely to be high then you need to carry out a full DPIA.
There are various circumstances where you must carry out a DPIA. Those of most relevance to processing for political campaigning purposes include:
- using systematic and extensive profiling with significant effects (see section on restricted profiling);
- processing special category data on a large scale (see special category data section);
- using innovative technology;
- profiling individuals on a large scale;
- matching data or combining datasets from different sources;
- collecting personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’); or
- tracking individuals’ location or behaviour.
Many political parties and campaign groups are required to carry out DPIAs for various aspects of their campaigning.
You should consider carrying out a DPIA even when you are not required by law. An effective DPIA can bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.