ICO Publishes First GDPR and Data Protection Act 2018 Enforcement Notice

Published on: 26/09/2018

#Data Protection

As recently reported in the media, the Information Commissioner’s Office (“ICO”) has issued its first Enforcement Notice under the Data Protection Act 2018 (“DPA 2018”) against AggregateIQ Data Services Ltd (“AIQ”), a Canadian data analytics company.

AIQ was associated with targeted advertising for the ‘Vote Leave’ campaign during the Brexit referendum. AIQ has been linked to Cambridge Analytics, which was the centre of the Facebook data privacy scandal we reported on here. AIQ have appealed against the notice.

While the data was initially gathered by AIQ before 25 May 2018 (the date the GDPR and DPA 2018 came into force), the ICO said it was concerned about the ‘continued retention and processing’ of data after that date, so the ICO confirmed the GDPR is applicable for AIQ's handling of that information.

AIQ have now been served with an Enforcement Notice to, within 30 days, ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.' 

If AIQ fails to successfully appeal the ICO's notice or does not comply with it, it could face a large fine. It will be interesting to see what level of fine the ICO deems appropriate given its increased powers under the GDPR and DPA 2018.

This notice is significant for various reasons. It is the first time the ICO has used the new extra territorial provisions of the GDPR against an organisation based outside the EU.

In addition, while a number of recent fines have made headlines (such as Facebook and Equifax both recently being fined the maximum £500,000 penalty under the previous Data Protection Act 1998 legislation), AIQ is the first organisation to receive an Enforcement Notice under the new provisions.

With the ICO having reported record numbers of self-reporting breaches since the GDPR came into effect (which is mandatory in certain circumstances), we can expect more actions undertaken by the ICO under the GDPR and DPA 2018 to be published in due course.

Clarkslegal
contact@employmentbuddy.com +44 (0) 118 958 5321

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.

Related HR Articles

12 May 21

ICO updates, anonymisation guidance and cyber security

In this month’s Data Protection Round-Up: key takeaways from the ICO Data Protection Practitioners Conference, guidance on anonymisation, and a government response to new cyber security legislation.

20 Jun 22

DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).   

14 Jun 18

Dixons Carphone admits major data breach
Dixons Carphone’s review of data and its systems disclosed massive unauthorised access to 5.9 million customer cards and 1.2 million personal records. The incident gathers attention after both GDPR and Data Protection Act 2018 (‘DPA 2018’) came into force on 25 May 2018.
More HR Articles