GDPR fine could result as Labour contenders accuse each other over data leaks

News by Chandu Gopalakrishnan

The Labour Party faces GDPR penalties as party MPs are accused of misuse of membership data and party systems

The UK’s Labour Party has passed on allegations of misuse of membership data and party systems to the Information Commissioner's Office (ICO), reports Sky News. An ICO spokesperson said it has started a probe on the matter, the report added.

The decision was taken over allegations that the campaign managers of shadow Brexit Secretary Keir Starmer, who is running to succeed Jeremy Corbyn as the leader of the Labour party, have breached data security rules including the GDPR during the campaign.

The Starmer campaign spokesperson refuted allegations that they accessed the party's membership database, said the news report. 

The party is yet to announce a formal response on the issue, which raised its head as it tackled another similar situation. It was reported that the party is also investigating a complaint about the use of party data by the campaign-runners of shadow business secretary Rebecca Long-Bailey, rival candidate for the Labour top post.

Party general secretary Jennie Formby has written to all Labour candidates after allegations of misuse of membership data and party systems came up, said the report.

However, a formal referral by the party general secretary to the ICO will trigger an investigation. As the incident happened prior to Brexit, it will come under the General Data Protection Regulation (GDPR) rather than the milder Data Protection Act 1998. 

Any misuse or breach of personal data under GDPR are subject to the highest penalty level, up to £15 million. As this is the theoretical maximum for repeated offenses, any possible penalty for the party would be much lower. The maximum penalty under the Data Protection Act 1998 was £500,000. The party has 485,000 members and it is their data which has allegedly been misused.

Use of member and voter data resulting in breaches is increasingly being reported from across the world. The personal information of all Israeli voters was available online this month, after PM Netanyahu’s Likud party uploaded the full register on election campaign management app Elector.

The database of India's national ID Aadhaar database, containing the personal and biometric information of nearly 1.2 billion people, was breached after hackers accessed it using administrative credentials.

The possibility of the notification to ICO by one faction rebounding on the Labour Party as a whole is an example of the fact that data controllers are responsible for the information they hold and can quickly become both suspect and villain, commented Francis Gaffney, director of threat intelligence at Mimecast. 

“The world has woken up to the threat of cyber-attacks and regulators have responded by piling pressure on businesses to take strict cyber security precautions and heavily punishing those organisations that suffer a cyber security breach. GDPR, for instance, raised the stakes substantially, introducing a maximum penalty of €20 million (£17.5 million) or four percent of global turnover - whichever is the greater,” he said. 

“An unacknowledged but inconvenient truth behind these fines is the fact that even businesses with A-grade cyber- security systems are at risk of a cyber-attack. The threat of fines will never be enough to prevent all cyber-attacks from happening.”

The party faced several cyber-security issues recently. In November 2019, there were two successive Distributed Denial of Service (DDoS) attacks on Labour's digital platforms as the party was preparing for the general elections. 

"These types of attacks are often used as diversions whilst others are being carried out,” observed Ryan Kalember, executive vice president of cyber-security strategy at Proofpoint. 

“Other threats we have seen deployed include targeted email attacks, designed to gain access and publicise sensitive party data during the critical final stages of a campaign, and influence the result.”

Being a non-business, political or social organisation does not remove the need for a strong and constantly-updated security and data management system, Gaffney noted. 

“If someone trusts you with their data, you owe it to them to protect it, to know exactly where that data is stored, and who can access that data. Many organisations are having to pay penalties for such data breaches and it is only afterwards that the cost of a breach now drastically outweighs the potential savings from not investing in security and data management solutions. Furthermore, the damage to the organisation’s reputation and branding may dwarf the fine imposed.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews