Internal controls
Internal controls are the systems, processes, and checks that organisations put in place to ensure they follow their own policies and meet legal requirements. In the context of political advertising, internal controls help sponsors, publishers, and providers verify compliance with transparency and targeting rules under EU Regulation 2024/900.
Legal Basis
While the TTPA Regulation does not define "internal controls" as a standalone term, it establishes obligations that require effective internal control mechanisms. For example:
"Providers of political advertising services shall put in place mechanisms enabling any person to report to them possible infringements of this Regulation."
— Article 11(1), Regulation 2024/900
Additionally, the regulation requires service providers to maintain records, implement transparency measures, and ensure compliance with targeting restrictions—all of which necessitate robust internal controls.
Why It Matters
Internal controls are essential for anyone involved in political advertising: political parties, campaign teams, advertising agencies, online platforms, publishers, and influencers. Without effective internal controls, organisations risk violating transparency obligations, misusing personal data for targeting, or failing to detect and correct errors in political ad labels.
For sponsors, internal controls ensure that transparency information is accurate and complete before ads are published. For providers and publishers, these controls help verify sponsor information, flag missing labels, and process reports of possible violations. Supervisory authorities may also assess the adequacy of internal controls when investigating complaints or conducting audits.
Strong internal controls reduce the risk of fines, reputational damage, and enforcement action. They also build trust with voters and the public by demonstrating a commitment to fair, transparent political communication.
Key Points
- Verification processes: Internal controls should verify that political ads are properly labelled and that transparency notices are complete and accurate before publication.
- Record-keeping: Controls must ensure that required records (sponsor details, ad content, reach, targeting parameters) are maintained and accessible for supervisory authorities.
- Reporting channels: Providers must implement mechanisms for anyone to report possible violations, as required by Article 11 of the regulation.
- Personal data safeguards: Controls should prevent the misuse of personal data for targeting, especially special categories of data, and ensure compliance with GDPR and the TTPA targeting restrictions.
- Training and awareness: Effective internal controls include training staff on compliance obligations and updating procedures when regulations or guidance change.
- Audit trails: Systems should log key decisions and actions (e.g., ad approvals, label placements, targeting parameters) to support accountability and investigations.
Internal Controls vs. Compliance Management System
Internal controls are specific mechanisms—checks, procedures, logs—that ensure day-to-day compliance with rules. A compliance management system (CMS) is the broader framework that coordinates those controls across an organisation, including policies, governance, risk assessment, training, and continuous improvement.
In short: internal controls are the individual tools and processes; the CMS is the overall structure that manages and monitors them. For political advertising, a CMS would define compliance strategy, while internal controls would include steps like verifying transparency labels before an ad goes live, maintaining sponsor records, or processing user reports of unlabelled ads.
Related Terms
- Political advertising
- Transparency notice
- Sponsor
- Provider of political advertising services
- Publisher
- Targeting techniques
- Personal data
- Compliance management system
- Due diligence
- Supervisory authority
- Record-keeping
- GDPR