Important Developments in the world of data protection


The world is still watching to see what the implications of breaching modern data protection laws will be. We have recently covered the data hack which affected the systems at British Airways, and there is unfortunately a substantial number of businesses world wide still not compliant with the new General Data Protection Regulation (GDPR).

The First GDPR Notice Has Been Issued

AggregateIQ (AIQ), a Canadian firm which worked for the "Vote Leave" campaign,  has been accused of processing people's data "for purposes which they would not have expected". This comes following the Cambridge Analytica/Facebook Scandal. It has been revealed that AIQ was paid nearly £2.7m by Vote Leave to target ads at prospective voters during the Brexit referendum.

Despite being a Canadian firm, the GDPR is very clear that any company which processes the personal data of EU residents, or transfers that data outside of the EU is also governed by the regulation.

Although the data was gathered before the GDPR regulations came into effect, the Information Commissioners Office was concerned about the "continued retention and processing" of data after that date, meaning the GDPR does apply in this case.

As a result, the company (AIQ) have been issued with the first notice of its kind. Failure to appeal or comply with the notice could mean the company will face a large fine.


A maximum fine imposed

Also in the news last week is the fines that have been issued to Equifax.

A cyber-attack in 2017, exposed information belonging to 146 million people around the world, and despite being previously warned about the vulnerability to their systems, the ICO ruled that they had “failed to take appropriate steps” to protect UK citizens’ data.

Although these have been issued under the old data protection laws, they are still significant. They are one of very few companies who have attracted the maximum fine allowed under the Data Protection Act 1998, which is £500,000. Also in this case, it is the first where the ICO has penalised an organisation to the maximum extent possible, in spite of Equifax stating that they have co-operated fully with the investigation and implemented a range of measures to minimise risk in future.

Given the close proximity of the GDPR, it would appear that Equifax have narrowly avoided a potential fine of up to €20,000,000. By issuing the maximum fine allowed, the ICO have shown that they are not holding back from utilising the extra fining power granted to them under the GDPR.