Vote Leave becomes first UK victim of GDPR

With the General Data Protection Regulation in full effect, the Information Commissioner's Office, the UK's regulatory authority, has issued the first official enforcement notice to an organization for failing to follow the data protection law. 

Vote Leave becomes first UK victim of GDPR

With the General Data Protection Regulation in full effect, the Information Commissioner's Office, the UK's regulatory authority, has issued the first official enforcement notice to an organization for failing to follow the data protection law. 

posted in Cyber-SecurityGDPR ● 4 Oct 2018

On May 25th, 2018, the General Data Protection Regulation (GDPR) came into effect. The regulation was touted as a major shake-up to data protection laws across all of Europe and many organizations and headlines pointed towards fines worth millions being handed out on an almost daily basis. The truth is that the Information Commissioner’s Office (ICO) who are responsible for enforcing the GDPR (Data Protection Act) in the UK have yet to fine anyone under the regulation. Now, however, the ICO has given its first enforcement notice under the regulation, which will likely result in the first major fine.

Canadian firm AggregateIQ Data Services Ltd (AIQ) were served with the enforcement notice, dated July 6th 2018, and will have a period in which they can appeal the notice and work with the ICO to establish the outcome. The firm is most well known for the work it did in the run-up to the EU referendum, which saw the UK vote to leave the European Union. The organization was also linked to Cambridge Analytica and the Facebook scandal which saw people in the USA targeted by political campaigns in the 2016 US election, which saw President Trump elected.

How did Vote Leave and AIQ fail to comply with the GDPR?

The enforcement notice from the ICO sets out the areas under the regulation that have not been complied with and that will be investigated. There are three articles that have been cited, Article 5, Article 6 and Article 14. Any one of these areas could see the organization fined the maximum penalties of €20 million or 4% of global revenue.

Article 5

Article 5 of the GDPR sets out the principles relating to processing of personal data. There are six main points under article 5 which set out the ground rules for how data should be processed. The enforcement notice that AggregateIQ received states the following:

Article 5 (1)(a), (b) and (c)

  • Processed lawfully fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purpose or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

Article 6

Article 6 of the GDPR sets out the lawfulness of processing under the regulation and is one of the most important articles for any organization processing data. Full definitions of what processing relates to under the regulation are set out in Article 4. The enforcement notice sets out that AggregateIQ and Vote Leave must have legal grounding for processing data. There are six lawful reasons for processing data under the regulation:

  • Consent by the data subject
  • Fulfilment of a contract or by request of the data subject
  • For compliance with legal obligations
  • To protect the vital interests of the data subject
  • In public interest or exercise of official authority vested in the controller
  • Legitimate interest pursued by the controller

Article 14

Article 14 specifies the information that must be provided to a data subject in the case where their details have not been obtained directly. Included in this information should be, where possible, the details of who the data controller is, the data protection office charged with the safety of the data and the purpose of processing the data. The enforcement notice states that the ICO does not believe that any of this information was shared with data subjects.

“The commissioner is satisfied that the controller has failed to comply with Articles 5 (1)(a)-(c) and Article 6 of the GDPR. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. Furthermore, the processing was incompatible with the purposes for which the data was originally collected.”

Under the terms of the enforcement notice AIQ had 30 days to ‘cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.’

Why is this GDPR enforcement notice significant?

This enforcement notice to AggregateIQ from the Information Commissioner’s Office is significant for a number of reasons. Importantly, this is the first enforcement notice to be publicized since the GDPR has come into effect, despite a number of large fines being handed to organizations since May 25th.

Cambridge Analytica were handed a £500,000 fine for their role in the Facebook scandal. The incident, however, took place under the previous Data Protection Act so £500,000 was the maximum penalty that could be levied.

As this is the first case to be enforced it is likely that the result and probable fine will set a precedent for cases moving forward. As the maximum penalty fine is so much higher than before, this case will set a benchmark for fines. In addition, AggregateIQ is an organization based in Canada, reinforcing the fact that the GDPR applies to organizations all over the globe who deal with EU citizens and that supervisory authorities are not afraid to hand out these fines internationally.

Now that the first notice has been served, it will be notable to see how quickly another is publicized and who to.

Working with compliant vendors and processors

One of the key tenants of the GDPR was to strengthen the protection for data subjects and ensure that data protection laws are up to date following technology advances in the past two decades. As part of the updated laws both data controllers and data processors have a responsibility to comply and to ensure that data is being processed lawfully and securely, this makes it vital for controllers to work with vendors and suppliers who can be trusted and can demonstrate their compliance.

As a vendor committed to complying with the GDPR, Redstor has taken extensive measures to ensure that internal policies and processes uphold the regulation and that all staff are aware of their responsibilities and rights under the GDPR.

What About The Protection of Your Data Now That The UK No Longer Forms Part of The EU?

Since theEU referendumon Thursday 23 June 2016, when the people of the United Kingdom voted to leave the European Union, there has been much uncertain…

Continue reading

New Netherlands office to drive Euro expansion

Reading, 28 May 2019Redstor, the UK-headquartered company disrupting the world of data management, today announced the opening of a new Amsterdam office as part of a global expansion strategy.

Continue reading

Redstor key speaker at ITWeb conference

Johannesburg, 14th February 2019 – Danie Marais, Director of Product Management at Redstor, will reveal how a new technology is helping organizations comply with looming regulations, when he addresses the ITWeb Governance, Risk and Compliance conference on February 20/21.

Continue reading