Data Protection World Forum: ICO delivers warnings of data-driven politics investigation

Data Protection World Forum delivers top-level data protection insight through talks and panel debates, but it’s also a great chance for delegates to have their concerns heard.

You could hear the industry discussion moving forward today around the many exhibition stalls the in Data Protection World Forum exhibition space, but compliance is the major concern, judging by the large queue of business owners and data security folk leading to the booth occupied by Information Commissioner’s Office representatives.

The ICO perspective was broadcast by the watchdog’s deputy commissioner, Steve Wood at the Keynote Theatre’s morning sessions, in his talk, “Democracy disrupted? The next chapter.”

Steve described the application of the ICO’s policy pillars of transparency, control and accountability in its 2018 investigation into data used for political purposes, which coincidentally played out against the backdrop of the Facebook / Cambridge Analytica scandal.

The investigation looked into a huge swathe of social media companies and political parties, to study how social data giants and data brokers supply the information used to profile voters. Here’s how the investigation broke down in numbers:

  • 172 organisations identified
  • 30 organisations formed the focus of the investigation
  • 71 witnesses of interest
  • 31 information notices issued
  • 22 documents seized
  • 700 terabytes of data seized, equivalent to 52.5 billion pages
  • 85 pieces of equipment seized, including servers
  • 2 warrants, monetary penalties and enforcement notices
  • 1 criminal prosecution.

Facebook was a focus concern for the ICO report, with the process of targeting laid bare. A story that garnered less media coverage was that of Emma’s Diary, a data broker that gathers information from young mothers. The firm’s consent was not effective, clear or informed and its processes lacked transparency, while data ended up with the Labour Party which used it to target voters.

More broadly, the investigation resulted in warning letters issued to 11 political parties, with all parties being told they have to tighten up data privacy behaviours.

An Enforcement Notice and criminal prosecution were leveraged against SCL Elections Ltd. Aggregate IQ was also given an enforcement notice, while audits were carried out of the main credit reference companies and Cambridge University Psychometric Centre. Emma’s Diary, meanwhile, received a fine of £140,000, demonstrating that the cogs of legislative justice are alive and turning for those who fail to treat data with extreme, sustained care.

That political parties use information this way is nothing new, but the transparency argument is laid bare when profiling leads to targeting messaging that plays on voters’ fears.

International impact

Besides a full suite of enforcement action, the investigation proved the risks of intrusive profiling, online manipulation and echo chambers. Risks of data harvesting and use of sensitive categories were also highlighted.

Steve Jones continued to underline the transparency failings the probe had uncovered, and its role in inadequate effective consent online.

The deputy commissioner thus recommended more effective controls in online platforms for behavioural advertising, and emphasised the importance and very clear justification of Subject Access Rights (SARs).

The ICO’s powers have been strengthened beyond simply the terms of the GPDR, the audience heard, while the need for effective resourcing for Data Protection Authorities worldwide was also a prominent takeaway.

Responding to the pressing need to stay responsive to the changing digital landscape, the ICO has now appointed its first dedicated AI data scientist to help recognise challenges and tackle enforcement in future.

The question is now a global one, and our obligation is to always consider the risks in terms of online data manipulation, and their threats to democracy. This issue was unpacked at a later session at the Keynote Conference Theatre, by Jamie Bartlett, researcher, journalist and author of The Dark Web.

You can read the ICO report and explore the importance of the three pillars of data protection at



PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.