Just when the initial panic surrounding the implementation of the GDPR has subsided, the UK Information Commissioner’s Office (ICO) has recently issued its first enforcement notice and to a foreign company at that!
AggregateIQ Data Services Limited (AIQ), a data analytics firm operating out of Canada, was issued with the notice, which requires the company to cease processing UK and EU personal data it obtained from political organisations associated with the Brexit movement.
AIQ breached the GDPR by processing individuals’ personal data in a way those people were not aware of, for purposes they would not have expected and without a lawful basis.
Notwithstanding the potential impacts of a processing ban on AIQ’s business, if it fails to comply with the notice, it faces a penalty of up to €20 million or 4% of its worldwide annual turnover, whichever is higher.
This action confirms that EU Regulators are prepared to pursue foreign entities for breaches of the GDPR.
It should serve as a warning to Australian entities that may be required to comply with the GDPR and who have not taken action to ensure compliance action is taken immediately.