View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 21, 2018

AggregateIQ Hit With First GDRP Enforcement Notice

Just five days after GDPR came into affect, AggregateIQ confirmed it still held data it shouldn't...

By jonathan chadwick

UK regulators have hit Canada’s AggregateIQ (AIQ) with the country’s first GDPR enforcement notice, giving the Vote Leave-associated data company 30 days to comply with data regulations or face a fine of up to €20 million.

AIQ’s continued retention of UK citizens’ data is likely to have caused “damage or distress” to those affected and the company is in breach of Articles 5 and 6 of GDPR, the Information Commissioner’s Office (ICO) said.

The enforcement notice comes as as the ICO has hit a string of companies with the highest fine – £500,000 – possible under previous data protection legislation.

GDPR came into force on May 25. It grants the data watchdog the power to impose a civil monetary penalty (CMP) on a data controller of up to €20 million (approx. £17.8 million) or four percent of global turnover. It also has new strengthened powers

GDPR enforcementAIQ was paid nearly £2.7 million by the Vote Leave campaign to target ads at prospective voters during the Brexit referendum.

The firm has appealed against the notice, an annex to the ICO’s data analytics investigation progress report, first published in July shows, as the BBC first reported.

An AIQ spokesman confirmed to Computer Business Review that they have appealed the notice but declined to comment further.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape


GDPR Enforcement: Test Case for ICO

“The commissioner has been in contact with AIQ regarding the processing of personal data by AIQ regarding the processing of personal data by AIQ on behalf of UK political organisations, in particular Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave,” the ICO said in the notice.

“In correspondence with the commissioner dated 30 May 2018 AIQ confirmed that personal data regarding UK individuals was still held by them. This data is stored on a code repository and has previously been subject to unauthorised access by a third party.”

See also: ICO Shows Teeth, Slaps Facebook with Record Fine, Demands Audits Galore

Nigel Tozer, GDPR Specialist at Commvault, said the notice was served for processing people’s data “for purposes which they would not have expected”.

“Many organisations have been focussed on inherent security aspects of the regulation, so this should serve as a reminder that the retention and processing of data, including data which was collected before May 25th, is subject to the full rigours of the new regulation,” he said.

“Regardless of size or sector, this notice should serve as a wake-up call, and will hopefully spur many into a review of current policies around the use of personal data.”

The General Data Protection Regulation (GDPR) came into effect across the European Union on May 25, bringing laws and obligations around personal data and privacy up to date. It requires organisations to report personal data breaches to relevant authorities within 72 hours of becoming aware of the breach.

Organisations must also inform individuals without delay if a breach is likely to result in a high risk of adversely affecting their rights and freedoms, the ICO says. They must also ensure they “have robust breach detection, investigation, and internal reporting procedures in place”.

In July the UK’s data watchdog released the interim results of a 14-month investigation into the use of data in political campaigns – triggered by the Cambridge Analytica/Facebook scandal – and published recommendations resulting from the investigation in a partner report, “Democracy Disrupted?”


Read more: GDPR? 25 May Was Just the Start

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.