UK regulators have hit Canada’s AggregateIQ (AIQ) with the country’s first GDPR enforcement notice, giving the Vote Leave-associated data company 30 days to comply with data regulations or face a fine of up to €20 million.

AIQ’s continued retention of UK citizens’ data is likely to have caused “damage or distress” to those affected and the company is in breach of Articles 5 and 6 of GDPR, the Information Commissioner’s Office (ICO) said.

The enforcement notice comes as as the ICO has hit a string of companies with the highest fine – £500,000 – possible under previous data protection legislation.

GDPR came into force on May 25. It grants the data watchdog the power to impose a civil monetary penalty (CMP) on a data controller of up to €20 million (approx. £17.8 million) or four percent of global turnover. It also has new strengthened powers

GDPR enforcementAIQ was paid nearly £2.7 million by the Vote Leave campaign to target ads at prospective voters during the Brexit referendum.

The firm has appealed against the notice, an annex to the ICO’s data analytics investigation progress report, first published in July shows, as the BBC first reported.

An AIQ spokesman confirmed to Computer Business Review that they have appealed the notice but declined to comment further.

 

GDPR Enforcement: Test Case for ICO

“The commissioner has been in contact with AIQ regarding the processing of personal data by AIQ regarding the processing of personal data by AIQ on behalf of UK political organisations, in particular Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave,” the ICO said in the notice.

“In correspondence with the commissioner dated 30 May 2018 AIQ confirmed that personal data regarding UK individuals was still held by them. This data is stored on a code repository and has previously been subject to unauthorised access by a third party.”

See also: ICO Shows Teeth, Slaps Facebook with Record Fine, Demands Audits Galore

Nigel Tozer, GDPR Specialist at Commvault, said the notice was served for processing people’s data “for purposes which they would not have expected”.

“Many organisations have been focussed on inherent security aspects of the regulation, so this should serve as a reminder that the retention and processing of data, including data which was collected before May 25th, is subject to the full rigours of the new regulation,” he said.

“Regardless of size or sector, this notice should serve as a wake-up call, and will hopefully spur many into a review of current policies around the use of personal data.”

The General Data Protection Regulation (GDPR) came into effect across the European Union on May 25, bringing laws and obligations around personal data and privacy up to date. It requires organisations to report personal data breaches to relevant authorities within 72 hours of becoming aware of the breach.

Organisations must also inform individuals without delay if a breach is likely to result in a high risk of adversely affecting their rights and freedoms, the ICO says. They must also ensure they “have robust breach detection, investigation, and internal reporting procedures in place”.

In July the UK’s data watchdog released the interim results of a 14-month investigation into the use of data in political campaigns – triggered by the Cambridge Analytica/Facebook scandal – and published recommendations resulting from the investigation in a partner report, “Democracy Disrupted?”

 

Read more: GDPR? 25 May Was Just the Start