UK GDPR
Updated 14 June 2024
1. Warning - Microsoft are launching Recall on 18th June 2024 which, if you use a Windows computer, is functionality to record your activity if you Opt In to it. We specifically ask that you do not activate this function whilst you are using Lighthouse, Connect or working with any Party data.
Microsoft have stressed that Recall is only available on new Copilot Plus PCs.
2. It is against the ICO’s guidance to purchase phone numbers from a data broker. You must not purchase phone numbers under any circumstances.
3. We are now all familiar with operating from home and having regular meetings online, which is convenient but does have it's own challenges. It is important to be aware of your data protection obligations. Read more here, including data security when using Zoom.
UK GDPR overview
The General Data Protection Regulation (GDPR), a piece of EU legislation adopted into UK Law via the UK Data Protection Act 2018, came into force on Friday 25th May 2018.
Following the UK's withdrawal from the EU on 31 January 2020, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.
The Party must comply with this legislation in the same way as we need to for Electoral Law. It is vital that Local Party Officers, campaigners and members understand their obligations.
The Party has adopted a set of Members Data Protection Rules that must be followed by all members of the Party. This page covers all rules, guidance and information published. For further information contact data.protection@libdems.org.uk.
Key information
Processing Personal Data Lawfully
Find an outline of the lawful bases for processing personal data here
Breaches, Subject Rights Requests & Opt Outs
Find out how to handle data breaches and requests here
Further information and guidance
Data Protection Checklists
Find guidance on ensuring your party or group remains compliant with data protection regulations here
Data Protection & Remote Working
Find out more about data protection advice when working remotely & using Zoom
Approved Suppliers & Approval for New Suppliers
Find the specific suppliers we have agreements with to process data
Sharing Data with Approved Suppliers
Find out how to get new supplires added to the Approve Suppliers List
Frequently asked questions
-
UK GDPR, also known as the UK General Data Protection Regulations, are a piece of EU data protection legislation that came into force on Friday 25th May 2018. They were enshrined in British law as the Data Protection Act 2018. (See question 2 for the changes following Brexit).
-
Following the UK's withdrawal from the EU on 31 January 2020, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.
The Party must comply with this legislation. When and if there are changes, we will update Local Party Data Officer and Chairs directly via email and through the monthly Compliance & Data Protection mailing.
-
The UK GDPR is based on 7 principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
These principles guide the way that any organisation can use personal data. In order to make it easier to ensure that everyone is handling personal data in a compliant way we have written the Liberal Democrats Data Protection Rules, available to read here. These rules form part of the party’s membership rules and must be followed at all times. Failure to follow these rules may lead to a data breach and a breach of the membership rules.
-
The Information Commissioner’s Office (ICO) has the power to fine organisations who handle personal data negligently. Under UK GDPR the maximum fine for a data breach is EUR 20 million (approx. £17 million) or 4% of global profits, whichever is larger. Although fines of this magnitude are rare, we as a political party are entrusted with handling large quantities of personal data. If the party is found to be negligent in its handling of personal data, it is possible that we could receive a very significant fine.
-
No there is no threat for individuals, as fines/ICO action are directed at the named Data Controller, who for all Party business is the Chief Executive on behalf of the Federal Party. However, there is provision in the constitution for fines resulting from local party activities to be recouped from the local party in question.
-
Yes. Under UK GDPR we are required to use providers who are compliant and will only use the information we provide in a specific way. Where we require contracts, they must be created/approved by the Data Controller (the Federal Party). As a result, we have a list of Approved Suppliers/Providers available on the website here. These are the only suppliers that can be used to process personal data.
For printing companies, if you are using unaddressed leaflets or mail, then these do not need to be on the Approved Supplier List. If you are sharing names and addresses with a printer for targeted mail, then the printer does need to be on the Approved Supplier List. They will need to complete a simple due diligence audit to confirm they are handling our data in a UK GDPR compliant way.
-
Yes, however you must follow the WhatsApp guidelines. They are available to read here.
-
You must use an approved bulk email supplier when sending emails to mailing lists of more than 15 people. The approved bulk email provider is Targeted Email and Mailjet.
-
You should only download personal data from the Lib Dems systems if it is absolutely necessary. If it is necessary, you must follow Download - Use - Delete. i.e. Download the data, use it and then delete it as soon as you no longer need it.
-
You must never share personal data outside of the Liberal Democrats except for our approved third-party suppliers for administrative/transactional purposes.
If you need to share personal data by electronic means with other volunteers you must encrypt the data with a password. You must send the password by a different method than the data was sent. For more information on encryption please read the data security page here.
-
Whenever you gather personal data from an individual it is essential that you provide them with a Fair Processing Notice (FPN). An FPN explains the purpose we will collect the data for and provides a link to our privacy policy. The FPN can be given verbally or in writing. You must offer a written version of the FPN when you are canvassing. For more details about FPNs please see the FPN page here.
It is essential that the individual knows the purpose you will use the data for. We cannot use the data for any other purpose.
You must not add email addresses/phone numbers to your contact list unless the individual gave explicit consent for you to do so.
-
Only if you are going to a country within the EU/EEA or a country that has been given an adequacy decision. If a country has been given an adequacy decision it means that the European Commission is satisfied that this country has adequate data protection standards. The list of countries that have been given an adequacy rating can be found here.
You cannot access Lib Dem data from a country that is not in the EU/EEA and has not been given an adequacy decsion.
-
Under the UK GDPR, individuals have certain rights over their data, these are
- The right to be informed about how their data is used.
- The right of access to their data.
- The right to rectification of their data.
- The right to erasure of their data.
- The right to restrict processing of their data
- The right to data portability
- The right to object to their data being processed
- Rights in relation to automated decision making and profiling.
If someone contacts you asking to exercise one of these rights it is essential that you forward them to Data.Protection@libdems.org.uk as soon as you receive them. We only have 1 calendar month under law to process such a request, so it is very important that you forward the request to us straight away. More information on data subject rights can be found here.
-
Information about data breaches can be found here.
If you think a data breach has occurred it is essential that you email Data.Protection@libdems.org.uk immediately. In some circumstances, where the breach may cause harm to others, we must report the data breach to the ICO. We only have 72 hours to report a data breach to the ICO once we become aware of it.
-
We have a UK GDPR checklist on the website which should be used by local parties to review their level of UK GDPR compliance and identify areas that need improvement. The Data Officer should be responsible for reviewing this checklist once a year. The checklist is emailed out to Local Party Chairs and Data Officers as part of the monthly Compliance & Data Protection mailing.
-
We send a monthly Compliance & Data Protection mailing to registered Local Party Data Officers, Chairs and Treasurers. The mailing contains Compliance information and Data Protection updates and news. The GDPR section of the website (which you are in now) also contains useful information which we update as needed.
-
Yes, we offer online UK GDPR training through the monthly Compliance & Data Protection mailing. This is available to all Local Party officers. There are also pre-recorded presentations, which we send out annually to local party officers as part of our February daily training programme.
-
Any non-member volunteers who process Lib Dem data must sign a Data Non-Disclosure Agreement (NDA). You can download the NDA and read more information about NDAs here.
-
You can email Data.Protection@libdems.org.uk.