UK GDPR

Frequently asked questions

• What is UK GDPR?

  UK GDPR, also known as the UK General Data Protection Regulations, are a piece of EU data protection legislation that came into force on Friday 25th May 2018. They were enshrined in British law as the Data Protection Act 2018. (See question 2 for the changes following Brexit).

• We’ve left the EU now is GDPR still relevant?

  Following the UK's withdrawal from the EU on 31 January 2020, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.

  The Party must comply with this legislation. When and if there are changes, we will update Local Party Data Officer and Chairs directly via email and through the monthly Compliance & Data Protection mailing.

• How does UK GDPR affect the way we can collect and use data?

  The UK GDPR is based on 7 principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

  These principles guide the way that any organisation can use personal data. In order to make it easier to ensure that everyone is handling personal data in a compliant way we have written the Liberal Democrats Data Protection Rules, available to read here. These rules form part of the party’s membership rules and must be followed at all times. Failure to follow these rules may lead to a data breach and a breach of the membership rules.

• What are the penalties for mishandling personal data?

  The Information Commissioner’s Office (ICO) has the power to fine organisations who handle personal data negligently.  Under UK GDPR the maximum fine for a data breach is EUR 20 million (approx. £17 million) or 4% of global profits, whichever is larger. Although fines of this magnitude are rare, we as a political party are entrusted with handling large quantities of personal data. If the party is found to be negligent in its handling of personal data, it is possible that we could receive a very significant fine.

• Is there a threat of personal liability if a breach of data protection happens on my watch doing Party business?

  No there is no threat for individuals, as fines/ICO action are directed at the named Data Controller, who for all Party business is the Chief Executive on behalf of the Federal Party. However, there is provision in the constitution for fines resulting from local party activities to be recouped from the local party in question. 

• Is it true that we can only use certain third party suppliers for processing personal data?

  Yes. Under UK GDPR we are legally required to have contracts with all providers that state they are UK GDPR compliant and will only use the information we provide in a specific way. All contracts must be created/approved by the Data Controller (the Federal Party). As a result, we have a list of Approved Suppliers/Providers available on the website​​​​​​​ here. These are the only suppliers that can be used to process personal data.

  For printing companies, if you are using unaddressed leaflets or mail, then these do not need to be on the Approved Supplier List. If you are sharing names and addresses with a printer for targeted mail, then the printer does need to be on the Approved Supplier List. They will need to complete a simple due diligence audit to confirm they are handling our data in a UK GDPR compliant way.

• Can we use WhatsApp?

  Yes, however you must follow the WhatsApp rules. They are available to read here.

• How can we send bulk emails in a compliant way?

  You must use an approved bulk email supplier when sending emails to mailing lists of more than 15 people. The approved bulk email providers are Prater Raines. 

• Am I allowed to download Data?

  You should only download personal data from the Lib Dems systems if it is absolutely necessary. If it is necessary, you must follow Download – Use -Delete. i.e. Download the data, use it and then delete it as soon as you no longer need it.

• Can I share data?

  You must never share personal data outside of the Liberal Democrats except for our approved third-party suppliers for administrative/transactional purposes.

  If you need to share personal data by electronic means with other volunteers you must encrypt the data with a password. You must send the password by a different method than the data was sent. For more information on encryption please read the data security page here.

• How can I collect personal data in a compliant way?

  Whenever you gather personal data from an individual it is essential that you provide them with a Fair Processing Notice (FPN). An FPN explains the purpose we will collect the data for and provides a link to our privacy policy.  The FPN can be given verbally or in writing. You must offer a written version of the FPN when you are canvassing. For more details about FPNs please see the FPN page here.

  It is essential that the individual knows the purpose you will use the data for. We cannot use the data for any other purpose.

  You must not add email addresses/phone numbers to your contact list unless the individual gave explicit consent for you to do so.

• Can I access Lib Dem Data abroad?

  Only if you are going to a country within the EU/EEA or a country that has been given an adequacy decision. If a country has been given an adequacy decision it means that the European Commission is satisfied that this country has adequate data protection standards. The list of countries that have been given an adequacy rating can be found here.

  You cannot access Lib Dem data from a country that is not in the EU/EEA and has not been given an adequacy rating.

• What do I do if someone wants to exercise the legal rights they have over their data?

  Under the UK GDPR, individuals have certain rights over their data, these are

  1. The right to be informed about how their data is used.
  2. The right of access to their data.
  3. The right to rectification of their data.
  4. The right to erasure of their data.
  5. The right to restrict processing of their data
  6. The right to data portability
  7. The right to object to their data being processed
  8. Rights in relation to automated decision making and profiling.

  If someone contacts you asking to exercise one of these rights it is essential that you forward them to Data.Protection@libdems.org.uk as soon as you receive them.  Please do not attempt to process the request yourself. We only have 1 calendar month under law to process such a request, so it is very important that you forward the request to us straight away. More information on data subject rights can be found here.

• What should I do if I think there has been a data breach?

  Information about data breaches can be found here.

   If you think a breach has occurred it is essential that you email Data.Protection@libdems.org.uk immediately. In some circumstances, where the breach may cause harm to others, we must report the data breach to the ICO. We only have 72 hours to report a data breach to the ICO once we become aware of it.

• How do I know if my local party has taken the right steps to be UK GDPR compliant?

  We have a UK GDPR checklist on the website which should be used by local parties to review their level of UK GDPR compliance and identify areas that need improvement. The Data Officer should be responsible for reviewing this checklist once a year. The checklist is emailed out to Local Party Chairs and Data Officers as part of the monthly Compliance & Data Protection mailing. 

• How can I keep up to date with data protection guidance?

  We send a monthly Compliance & Data Protection mailing to registered Local Party Data Officers, Chairs and Treasurers. The mailing contains Compliance information and Data Protection updates and news. The GDPR section of the website (which you are in now) also contains useful information which we update as needed.

• Are there training opportunities available?

  Yes, we offer online UK GDPR training through the monthly Compliance & Data Protection mailing. This is available to all Local Party officers. There are also pre-recorded presentations, located in the Campaigns Hub and training section of the website. 

• We have volunteers who are not members. Can they process personal data?

  Any non-member volunteers who process Lib Dem data must sign a Data Non-Disclosure Agreement (NDA). You can download the NDA and read more information about NDAs​​​​​​​ here.

• What do I do if I have any queries about data protection compliance?

  You can email Data.Protection@libdems.org.uk.