Against the backdrop of the US elections, which has the current President of the United States campaigning for funds to challenge the (not quite final) results, our own ICO has published a summary of its audit concerning data protection practices of UK political parties. The audit follows from the ICO’s Democracy Disrupted report, in which the ICO highlighted its concerns about data protection and political campaigning – particularly the apparent lack of transparency around how personal data was used in voter profiling.

The summary brings a nearly two year-long audit to an end and results in a number of key findings. One of these is the importance of political parties to be transparent on their social media platforms when using personal data for the purpose of profiling with a view to sharing targeted marketing. Although not expressly required, this suggests the ICO wants to see parties include a link to their privacy notice on their social media pages. In addition, when parties use targeting tools provided by social media platforms, both the party and the platform should be clear about the circumstances in which they act as joint controller.

A few other important points raised in the summary are:

- The ICO reminds us that a Data Protection Impact Assessment should be carried out when a party relies on an exemption to the requirement to provide a privacy notice under Article 14 of the GDPR.

- In order to comply with the accountability principle, staff should acknowledge that they have read and understood the key data protection policies that the relevant party has in place.

- Similarly, the ICO raises concerns from an accountability perspective that data protection training is often not part of the staff induction programme and states this should be rectified.

Although these recommendations are specifically targeted at political parties, they include important lessons for everyone, particularly those that use profiling and social media platform tools as part of their marketing approach.