7 Questions About GDPR with Ecanvasser
The General Data Protection Regulation (GDPR) is, in brief (hold on tight, this may take awhile) legislation covering any organization that holds personally identifiable data about EU citizens. It forces these organizations to manage and control this data in a clear and transparent way. From a political or advocacy viewpoint, areas of particular concern would be gaining consent to hold voter data, dealing with mandatory requests for information from voters, and, of course, the reputational damage accruing from data breaches. GDPR is being taken so seriously because the fines for non-compliance run to €20 million or 4% of annual revenue for bigger organizations.
1. What changes to your offering did you have to make to be compliant with GDPR?
We built a privacy compliance dashboard that allows organizations to set the reason why each individual data point is collected. These settings then form the basis of other functionality.
We also had to create an e-signature system on our mobile apps to allow campaigns to gather consent in real-world situations. Email marketing was then connected to these privacy settings and consent capture history.
Controls had to be installed around the removal of documents, of voter data (at the voter's request), or because the issue was closed.
Finally, all permission level access had to be reviewed and strengthened to ensure limited and purposeful access to personal data.
2. Was it hard to become GDPR compliant?
As you can see from the functionality alone, it was certainly a challenge for us, just as it has been across the industry for all political technology firms. Our engagement and preparation began at the start of 2017 with data protection specialists and consultants who worked with us to tease out the issues and find workable solutions.
The product development schedule, once it was fully mapped out, took over two months to complete over two releases and will represent ongoing work and development in the medium term.
Of course, the entire process has involved detailed consultation with our customers and other industry professionals to gather feedback and make sure implementation went smoothly. So, yes, you could say it was pretty hard!
3. What are the benefits of GDPR?
GDPR will have huge benefits but the most important is in terms of the protection of voter data and the avoidance of misuse. Transparency of process is a benefit to data subjects as they are now able to easily request what information is being held on them and they can dictate what they want done with it. Such transparency is also a benefit to the organization holding the data, as they become better able to account for their processes and less open to data breaches and misuse of data by their employees or by those outside of their organization who have malicious intent.
GDPR forces organizations to weed out unnecessary information and individuals from their database and thus, it encourages building real engagement and relationships with data subjects, so from that point of view it greatly improves the quality rather than the quantity of the database.
4. Was the process of becoming GDPR compliant a benefit in the long run to Ecanvasser?
Well, we haven’t run for very long yet (it came into force on May 25th) but we can already see that GDPR has pushed us to the forefront of data protection leadership in the political technology industry.
Our GDPR webinars are attended by political parties across the EU and we feel we have a role to play in directing the conversation and gently guiding political organizations to really see the benefits of data protection rather than the negatives of being forced into compliance.
Our development team put a huge amount of work into the functionality and database structuring with a real focus on security. This represents a real opportunity to diversify our product offering to give, for example, ballot initiatives e-signature capability, or to strengthen corporate governance systems for advocacy groups.
5. What steps should organizations take to be GDPR compliant?
It really depends on the organization, what type of data they hold and what they intend to do with it. But to answer the question here is a short list worth considering:
- Firstly, a mindset shift is needed; not just do enough to become compliant but to think about voters/citizens first and put them at the heart of everything you do in your database
- Review their systems, declutter & minimize your voter data
- Create a data retention policy
- Hire a data processor partner that has fully responded to GDPR and understands your industry
- Appoint a Data Protection Officer
- Train all staff and set up regular training slots
- Put in place systems to respond to Subject Access Requests and Data Breach protocols
6. Why is this important for politics and advocacy?
It’s important because of the fallout from situations like Cambridge Analytica. We don’t want to continue in a manner where citizens data is floating around the corporate world being used in a multitude of ways to influence us, whether that be to buy a pair of sneakers or to vote for a particular candidate. It’s important because we want to turn the tide on this and to start taking individuals data seriously if you treat a person's data akin to a person’s money, you begin to see the importance of treating that data in an accountable way.
There is a great section in Malcolm Gladwell’s book, Outliers, where he describes the difference between traditional Chinese rice paddy farming and traditional Western crop rotation farming. The crop farmer sows the seeds in Spring, works really hard in Summer to gather the harvest and then goes into hibernation in the Fall and Winter. However, the rice paddy farmer works all year round, it’s back-breaking work but yields a constant dividend and you can see how input is directly correlated to output. It is similar for political and advocacy groups that are willing to tend to voter data and voter relationships in the same manner. Rather than having a huge database that you send periodic communications to in the vain hope of getting a percentage response, GDPR gets organizations to deal directly with the electorate and to get a better return on that work in terms of votes or support.
Lastly, it seems there is a real antipathy on the part of voters towards political organizations and a more transparent and real relationship with the electorate could form the basis of a new way of moving forward and repairing some of that damage that has been caused by the likes of the Cambridge Analytica scandal.
7. Why should US campaigns and organizations think about GDPR?
GDPR is not likely to remain an EU initiative only for very long. Canada and Australia, among others, are already making plans to follow suit and it would be naive to think that data protection legislation will not be coming to the US, at least in the medium term.
It is, of course, also good practice, helps you to understand and communicate better with your community, and ultimately protects you from yourself by bolstering your corporate governance.
A big thank you to Aoife O'Halloran and Brendan Tobin at ECanvasser for answering this week's 7 questions!