October 03, 2018

The UK has seen its first data protection enforcement action under the new regime of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).

The Enforcement Notice issued by the UK’s Information Commissioner’s Office (“ICO”), was given against a Canadian company called AggregateIQ Data Services Ltd (“AIQ”) on 6 July 2018[1].  The notice was published with little fanfare and was included as an annex to the ICO’s report, “Investigation into the use of data analytics in political campaigns”, published on 11 July 2018.[2]  A further Enforcement Notice was issued against SCL Elections Ltd for failure to comply with a Subject Access Request.

The background to this ICO investigation was the circumstances around the lead up to the UK’s referendum on its continued membership of the European Union on 23 June 2016.  In May 2017, the ICO announced a formal investigation into the use of data analytics in political campaigning during the referendum and contacted AIQ regarding its processing of personal data on behalf of certain UK political organisations.

Read More.