New Epolitics.com contributor! Brendan Finucane is CEO of Ecanvasser, a political campaign technology based in Ireland. For more on data-protection in Europe, see Yussi Pick’s earlier piece on the death of safe harbor.
Imagine a scenario in which you needed to have a confirmed, double opt-in from a voter to hold any information about that person. Imagine having to go to a voter face-to-face, get an e-signature from that person allowing you to hold information about him or her and then having to follow up that contact with an email confirmation from them that they agreed to this. Hold onto your hats, people: this is the situation coming to political parties and candidates in the EU in May, 2018.
The General Data Protection Regulation (GDPR) takes effect next year and applies to any organization, anywhere in the world, that is holding data on EU citizens. The fines that can be incurred are up to 4% of global revenue or €20 million. The global reach of this legislation (similar to CAN-SPAM for email deliverability) is going to be huge. A recent survey of US companies found that 52% of them expected to be fined for non-compliance.
For US companies like political consultancies or public affairs firms that wish to work in Europe, this legislation is going to be a key challenge in the coming 12 months. Not only will these firms need to put systems in place to ensure compliance, but they will also need to hold that data on European servers and have a European partner working with them. In addition they will need to employ some sort of cloud database systems and opt-in protocols around voter contact. Bottom line: any US companies that have not yet started taking GDPR seriously will need to do so soon.
This legislation covers the obligations on all organizations that hold data on citizens, whether they are customers or voters. From a political industry perspective in Europe, though, this new legislation isn’t quite as shocking as it might be to a US candidate or party. Many countries — including Germany and Denmark – already have very strong data protection laws that govern what types of data might be held. There is also a good appreciation of the type of local party infrastructure that would be required to meet the challenges of GDPR. It is not ridiculous to suggest to a European party that it meet its existing database of voters face-to-face in advance of May next year to at least attempt to get a double opt-in. Of course, if the opt-in is not achieved, then the existing data that they hold could be anonymized to ensure that the individual cannot be identified by said data. In this way, much of the value of the data is maintained but at minimal cost to the data controller.
GDPR is considered to be one of the most important pieces of data privacy legislation in recent times, and it will have far-reaching impacts beyond the EU. Meeting the challenge of these added obligations on political parties will be one of the main talking points in European politics this year and next. As of yet, GDPR hasn’t penetrated the wider consciousness, but this is changing fast. The scale of the challenge is reflected in the fact that over 22,000 new Data Protection Officer roles are expected to be filled in the coming months.
The key takeaway for the political establishment is about understanding the main points of the legislation and one’s obligations in relation to it. This takeaway needs to be understood also by any US companies hoping to do work in Europe in the coming years. In a broader sense, GDPR is a harbinger of the future, a future where voter data will not be so easily bought and sold, and one where grassroots infrastructures will need to be properly resourced in order to support large political organizations.