If you are processing personal data as part of your political campaigning activities, you will need to comply with the UK General Data Protection Regulation (UK GDPR).
Personal data includes, but is not limited to, names and addresses from the electoral register, the marked register and of your members. It also includes any information an individual has provided to you or any information you infer about individuals.
If you contact individuals to promote a political view or to otherwise influence them, this is considered direct marketing, which is also regulated by UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Direct marketing includes contact by:
- text or similar message;
- voicemail; and
- phone or automated calls.
How can I understand more about data protection and electronic marketing law?
If you are new to data protection law, it is important to first read our Guide to Data Protection. This gives an introduction to the rights and obligations under the UK GDPR and Data Protection Act 2018.
We have also produced comprehensive guidance specifically for political campaigners on how to comply.
What are my main obligations?
Campaigners who process personal data have a number of obligations. In particular:
- You must tell individuals how you use their personal data. This includes data you received directly from the individual and from third parties. You must explain how you are using the data in a clear, accessible and transparent way.
- You must be able to demonstrate your compliance with the law. This includes being able to provide a full record of how personal data has been obtained and is being processed. You must also be able to demonstrate the compliance of any third party organisation that processes personal data on your behalf.
- Campaigners often obtain personal data, including inferred data, from third party data brokers for election or campaigning purposes eg to target messaging at a particular audience. However, before using the data in this way, you must carry out full due diligence to ensure the data has been obtained lawfully. Individuals must be aware of how their data will be used and which organisations it will be shared with.
- If you are relying on the lawful basis of consent to send political messaging through electronic communications, you must ensure you have the appropriate records of consent from the individual.
- If you process special category data, such as political opinions, health or ethnicity, you must identify both the lawful basis for processing and the condition for processing. These must both be documented.
- If you intend to provide personal data to third party organisations, such as social media platforms, for marketing purposes, you must make sure individuals are informed that their personal data will be processed in this way. You must also satisfy a lawful basis under Article 6 of the General Data Protection Regulation.
- The collection and use of data from online campaigning platforms and publicly available sources must comply with data protection law. Any use of these platforms should have been assessed in a Data Protection Impact Assessment.
Other useful resources
We have further guidance for elected representatives about their day to day data protection obligations.
Be data aware
We have a range of guidance for members of the public about how political campaigners may use their data to target them with online messages. This includes a downloadable animation that parties can use to help inform individuals.
Paying the data protection fee
On 1 April 2019, the rules around paying the data protection fee changed. Members of the House of Lords, elected representatives and prospective representatives (including police and crime commissioners) are exempt from paying a fee, unless they process personal data for purposes other than the exercise of their functions as a Member of the House of Lords, an elected representative or as a prospective representative. For more information, read our guidance on the data protection fee.