The first GDPR notice in the United Kingdom has been issued to AggregateIQ Data Services. The Canadian firm was linked to the Facebook-Cambridge Analytica Scandal earlier this year, providing tools involved used in data analytics for political campaigns. Having caught the attention of the Information Commissioner’s Office, it has now run into trouble for failing to comply with GDPR.

first GDPR notice

The ICO has served this notice in connection to EU citizen data being held by AIQ. Because the data involved – including names and email addresses – is being stored for political purposes and without the users’ consents, there is no lawful basis for AIQ to process it.

Take a look at the full story about the UK’s first GDPR notice here: https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/

There are several important things to note about this, illustrating the dangers of not being fully aware of GDPR and its implications…

  • AIQ may be based outside of the UK, but this doesn’t protect it. This is because, in the words of the ICO, “AIQ’s processing of personal data is said to relate to monitoring of data subjects’ behaviour taking place within the European Union”.
  • For its role in the Cambridge Analytica scandal in March, Facebook was fined £500,000 under the terms of the Data Protection Act 1998. However, the notice issued to AIQ still comes under GDPR, even though the data it is processing relates to the same scandal. This is because AIQ didn’t tell the ICO it still held EU citizen data until May, when GDPR came into effect.
  • The issue for AIQ is that there’s no legal basis for them to hold this data. The ICO states: “The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.”
  • While the GDPR notice has only recently come to the attention of the public, it was originally issued in July. The ICO demanded that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
  • AIQ had only thirty days to comply with this demand. Considering that the Cambridge Analytica scandal hit 87 million users, and that the firm provides software and tools for managing data for political purposes, this is a huge job to perform in such a short space of time.

It should be noted that AIQ has the right to appeal – and is exercising that right. However, if its appeal is rejected, it will face fines of up to €2 million or 4% of its annual global turnover, whichever is higher – and that is per data breach

For our help and support with your own GDPR awareness and compliance programme, use the Contact Form on the right to get in touch today.