GDPR for Political Parties and Campaigns: Voter Data, Canvassing, and Special Category Protections
Political organisations handle some of the most sensitive personal data in existence. Voter contact lists, canvassing records, donation histories, political opinions, and membership data all carry significant legal weight under GDPR — and regulators have made clear they expect political parties to take compliance seriously.
This guide covers everything a UK political party, campaign, or candidate needs to know about GDPR compliance in 2026.
Political Opinion Data Is Special Category Data
Article 9 of GDPR identifies a list of data types that receive enhanced protection because of the particular harm their misuse could cause. Political opinion data is on that list — alongside health data, racial or ethnic origin, biometric data, and religious beliefs.
This matters because the default position under GDPR is that you cannot process special category data unless you have an explicit justification. The lawful basis requirements for ordinary personal data are already strict; for special category data, they are stricter still.
Processing political opinion data requires both a standard lawful basis (under Article 6) and a specific condition under Article 9. For political parties, the most commonly applicable Article 9 condition is:
- Article 9(2)(d) — processing carried out by a political, philosophical, or religious non-profit body as part of its legitimate activities, with appropriate safeguards, and provided the data relates only to members, former members, or persons who have regular contact with the organisation in connection with its purposes, and the data is not disclosed outside the body without consent.
This condition is narrow. It covers members and regular contacts — not a general population of voters.
The Cambridge Analytica Effect
The 2018 Cambridge Analytica scandal changed the regulatory landscape for political data permanently. The ICO's investigation — Operation Emma — resulted in enforcement action against multiple political organisations, the exposure of unlawful data broker practices, and a substantial fine against Facebook.
More importantly, it triggered lasting regulatory attention on how political campaigns acquire, enrich, and use voter data. The ICO published specific guidance on the use of data analytics in political campaigns, and regulators across Europe began scrutinising targeting practices that had previously gone unchallenged.
The core problem Cambridge Analytica exposed: political campaigns were combining data from electoral registers, commercial data brokers, and social media profiles to build psychographic profiles of voters and serve micro-targeted political advertising — all without meaningful consent and without individuals having any idea it was happening.
That approach is now firmly off the table. Any political organisation attempting to replicate it faces serious enforcement risk.
Electoral Commission Guidance and GDPR Interaction
In the UK, political parties must navigate two overlapping regulatory regimes: GDPR (and the UK GDPR post-Brexit) as overseen by the ICO, and electoral law as overseen by the Electoral Commission.
The Electoral Commission's guidance acknowledges the interaction between electoral law and data protection law but does not override it. Permitting disclosure of the electoral register for certain purposes does not create a lawful basis under GDPR for unlimited processing. The ICO is clear on this point.
Key interactions to understand:
- The full electoral register can be used by political parties for electoral purposes under Schedule 2 of the Representation of the People (England and Wales) Regulations 2001. But this does not mean you can use it for general marketing, commercial profiling, or purposes beyond direct democratic engagement.
- Canvassing data collected during legitimate political activities can be retained, but must be proportionate, accurate, and not held longer than necessary.
- PECR (Privacy and Electronic Communications Regulations) applies on top of GDPR for any electronic direct marketing — including email and automated telephone calls to voters.
Lawful Bases for Processing Voter Contact Data
For ordinary voter contact data (name, address, phone number, email), you will typically rely on one of:
Legitimate interest — Political parties have argued that direct voter engagement is a legitimate interest that can justify processing contact details for canvassing and campaign communication. This requires a documented Legitimate Interest Assessment (LIA) that genuinely weighs the party's interests against voter rights. The ICO accepts legitimate interest in this context but requires the assessment to be real, not pro forma.
Legal obligation — Some data processing is required by electoral law. This is a legitimate basis for that specific, required processing.
Consent — For electronic marketing (email, SMS, automated calls), you will usually need specific, freely given, informed consent under PECR. Obtaining this from general voter contact lists is extremely difficult.
Canvassing Data: What You Can Record and For How Long
Door-to-door canvassing generates personal data. When volunteers record how a resident responded — including any indication of voting intention — that is special category data (political opinion) or at minimum sensitive personal data.
What you can record:
- Whether the resident was contacted and whether they engaged
- Whether they have consented to further contact
- Their stated preference to receive or not receive party literature
- Party affiliation or voting intention, where explicitly shared by the voter
What you should not record:
- Inferred political opinions based on demographic characteristics
- Information shared by a neighbour about another resident
- Health or accessibility information without specific consent
Retention: Canvassing data should be reviewed after each election cycle. Data about individuals who have expressed no interest in the party, or who have asked not to be contacted, must either be deleted or retained solely to honour the opt-out. Keeping active positive canvass data from a 2019 election without any refresh is hard to justify by 2026.
Email and Telephone Marketing: PECR as Well as GDPR
PECR adds specific requirements for electronic marketing that sit on top of GDPR. For political parties communicating electronically with voters, this means:
Email marketing:
- You need specific, opt-in consent for marketing emails to individual voters
- Soft opt-in (available in commercial contexts for existing customers) does not apply to political organisations in the same way
- Unsubscribe mechanisms must be functional and respected promptly
Telephone calls (automated and live):
- Automated political calls (robocalls) require prior specific consent
- Live calls to TPS-registered numbers are prohibited unless the individual has specifically consented to calls from your organisation
- Scripts should be documented and callers should be able to identify the organisation clearly
Text messages:
- SMS marketing to voters requires consent
- The ICO has taken enforcement action over political texts
The ICO's guidance explicitly addresses political campaign communication and does not grant political parties special exemptions from PECR requirements.
Membership Data: Members, Supporters, and Contacts
Political parties typically hold data on three distinct groups, each with different compliance implications:
Members — Full members who have joined the party and paid membership fees. Processing their data is supported by the membership contract and the Article 9(2)(d) condition. They have a reasonable expectation that the party will contact them about party matters.
Supporters and registered contacts — People who have signed up to newsletters, attended events, or expressed interest without becoming members. Their data can be held, but only for the purposes they consented to. You cannot treat a newsletter subscriber the same as a member.
Cold voter contacts — Names and addresses from electoral registers or third-party lists. These individuals have no relationship with your party. Processing their data for direct contact is lawful for specific electoral purposes, but each contact mechanism must have its own justification, and persistent profiling goes beyond what the law permits.
Internal separation matters. Data held about members should not be routinely accessible to local branches, affiliated organisations, or campaign teams unless there is a specific, documented reason.
Volunteers and Their Personal Data
Volunteers are data subjects too. When someone volunteers for a campaign, they provide personal data — and the party becomes a data controller in relation to that data.
Volunteers' data should be:
- Collected only for the purposes of the volunteering relationship
- Covered in a clear privacy notice before they start
- Retained only while the volunteering relationship is active, plus a reasonable period after
- Not shared with third parties (including affiliated organisations) without consent
Enhanced DBS checks for volunteers working with vulnerable people generate criminal records data, which is additional special category data requiring specific handling.
Donation Records and Data Retention
Political donations above certain thresholds must be declared to the Electoral Commission under PPERA (Political Parties, Elections and Referendums Act 2000). This creates a legal obligation to retain certain records — which provides a lawful basis for that retention.
However, the legal obligation to report does not justify holding full donor profiles indefinitely for marketing purposes. The following should be separated:
- Compliance records — retained as required by electoral law
- Marketing preferences — held only while the donor has an active relationship with the party and wants to be contacted
- Payment data — retained only as required by financial regulations (typically 6 years for accounting purposes)
Social Media Targeting for Political Ads
Following Cambridge Analytica and subsequent regulatory guidance, social media political advertising requires particular care.
What is lawful:
- Advertising to your own email list uploaded as a custom audience (with consent)
- Interest-based targeting based on declared political interests (where the platform supports it and users have opted in)
- Geographic targeting for genuinely local campaigns
What is high risk:
- Lookalike audience campaigns built from voter data
- Psychographic targeting using data from brokers
- Dark ads that change content by demographic without transparency
The ICO's investigation into political micro-targeting found that practices commonly used in the 2016-2019 election cycle created significant compliance exposure. Political parties should document their advertising targeting methodology and be prepared to explain it to a regulator.
Imprint requirements also apply — all political digital advertising must carry a digital imprint under the Elections Act 2022.
Data Sharing Between HQ, Local Branches, and Candidates
Party structures create data controller complexity. When national party HQ holds a membership database and local branches access it, there is likely a joint controller or processor relationship that needs to be documented.
Key questions to resolve:
- Who is the data controller for canvassing data collected by local volunteers on national party systems?
- What data can a parliamentary candidate access about local party members, and under what conditions?
- When constituency associations share data with candidate campaigns, what agreement governs that sharing?
The ICO expects these questions to be answered in documented data sharing agreements, not just assumed. Post-election, the candidate's campaign operation should have a process for returning or destroying party member data it received during the campaign.
Voter Data Purchased from Brokers — Legality and Risks
Several commercial data brokers sell lists that include information derived from the electoral register, commercial transactions, and consumer profiles. Political campaigns sometimes purchase these to enrich their canvassing data or identify potential supporters.
The legal position is difficult. The ICO's view is that purchasing enriched voter data from commercial brokers — without the individuals having knowingly provided their data to that broker for political purposes — is unlikely to be lawful under GDPR.
Specific risks include:
- The broker may not have a lawful basis for selling the data in the first place
- The purposes for which voters originally provided data to the broker are unlikely to include political profiling
- If the broker's own compliance is questionable, you inherit reputational and regulatory risk
Before purchasing any third-party voter data, require the broker to document their lawful basis for collection, their consent mechanism, and their right to sell for political purposes. If they cannot provide this, do not purchase.
Subject Access Requests from Political Opponents
Political parties receive SARs. Some come from genuine members wanting to see their data. Some come from journalists. And some come from political opponents looking for information about how the party operates.
A SAR is a SAR regardless of the requester's motive. You must respond within one month, and the motive of the requester is irrelevant to your obligation to respond.
However, you can withhold information that would reveal personal data about other individuals (party staff, volunteers, other members). You can also withhold information that is subject to legal privilege. You cannot withhold information because it is embarrassing or because responding would damage the party politically.
Establish a clear internal process for SARs before you receive one. Political parties that fumble a SAR response — responding late, providing incomplete information, or visibly trying to obstruct — invite formal complaints to the ICO.
ICO Enforcement Against Political Parties: Real Examples
The ICO has taken direct action against UK political parties and political organisations:
Conservative Party (2021) — The ICO issued a reprimand to the Conservative Party over the use of email addresses provided by Conservative MPs' offices without those MPs' consent for party fundraising communications.
Liberal Democrats, Labour Party, the Brexit Party (2019-2020) — As part of Operation Emma, the ICO's political data investigation, all major parties received Enforcement Notices or Reprimands relating to their use of data analytics tools that processed voter data without adequate transparency.
Leave.EU (2018) — Fined £60,000 (pre-GDPR maximum) for sending over one million unlawful marketing messages using data obtained from the Eldon Insurance customer database. This remains one of the clearest examples of what happens when political organisations treat commercial customer databases as voter contact lists.
Vote Leave (2018) — Fined £40,000 for sending unsolicited political messages to phone numbers from a purchased database.
These cases share a pattern: data collected for one purpose (insurance customers, app users, donors) repurposed for political marketing without consent.
10 Common GDPR Mistakes Political Organisations Make
Treating the electoral register as a general marketing database. Electoral register access is for electoral purposes. It does not authorise email marketing, profiling, or data enrichment.
No privacy notice on canvassing data collection. Volunteers collecting data on doorsteps are acting on behalf of the party as data controller. A privacy notice is required.
Failing to honour opt-outs promptly. When a voter asks not to be contacted again, that request must be actioned quickly and consistently across all systems.
Sharing member data with affiliated organisations without consent. Members joined your party, not your think tank or your affiliated union.
Sending unsolicited political emails to purchased lists. PECR requires consent for electronic marketing regardless of political exemptions in other laws.
No data retention schedule. Canvassing data from previous elections is often still sitting in campaign management systems years later with no documented retention review.
Inadequate volunteer briefing. Volunteers become data processors when they handle personal data. They need basic data protection training before handling voter information.
No DPA with technology suppliers. Campaign management software providers, CRM vendors, and mass email platforms are data processors. There must be a Data Processing Agreement in place.
SAR responses handled informally. Subject access requests must be tracked, responded to within one month, and documented. A verbal response to a written SAR is not adequate.
Buying third-party voter data without due diligence. If the data broker cannot demonstrate lawful basis for the data and permission to sell it for political purposes, do not buy it.
Get a Free Privacy Audit
If your organisation's website collects any personal data — contact forms, newsletter signups, donation pages, event registrations — you should know exactly what trackers and data flows are active.
Custodia's free website scan takes 60 seconds and shows you every cookie, tracker, and third-party connection on your site. No account required.
Last updated: March 2026
Top comments (0)