The blizzard of emails requesting your consent to data processing may have stopped but is there any evidence that things have changed in practice? Recent developments suggest GDPR is beginning to bite those who fail to comply.
AIQ told to ‘Leave’ data alone
In July, the Information Commissioner’s Office (ICO) issued its first enforcement action under GDPR against AggregateIQ (AIQ). AIQ have appealed this action, and whilst the outcome remains unknown, the potential impact of this first enforcement action is significant.
AIQ is a Canadian company that processed data for political organisations. The ICO stated that GDPR was breached when the firm provided the personal data of UK or EU citizens (such as names and email addresses) for use in UK political campaigns. AIQ’s processing allowed the company to target online adverts at voters during public polls and played an important role in the Leave campaign.
The company was not authorised to provide or process the personal data in this way and the enforcement notice required AIQ to stop the unauthorised processing “for the purposes of data analytics, political campaigning or any other advertising purposes”. The processing did occur before GDPR was implemented, but as data was processed and retained after its implementation, the ICO confirmed that it still applies.
Following the implementation of GDPR, the ICO has announced that is receiving up to 500 calls a week relating to breach notifications. The ICO also confirmed that it has begun formal enforcement action against over 30 organisations that have failed to pay the new data protection fee.
Many organisations are struggling with the 72 hour notification period in which to report a sufficient breach – 72 hours means consecutive hours and not ‘business hours’. This is leading to a delay in notifications which is a breach of GDPR and could result in hefty penalties for, or enforcement action against, organisations. Understandably, organisations may not have all the information to hand at the time of reporting but there should be an individual of sufficient seniority and clearance to liaise with the ICO to indicate when the rest of the information will be available. This approach would be sufficient to satisfy GDPR’s breach reporting requirement. A breach only needs to be reported if it is highly likely to result in a risk to the rights and freedoms of the affected data subjects, but many organisations are ‘over-reporting’ in order to ensure strict compliance.
The ICO’s proactive approach in enforcing GDPR alongside the serious penalties for non-compliance, including potential fines of up to €20 million or 4% of a company’s worldwide annual revenue, should act as a warning to other companies and motivate them to ensure they are fully GDPR compliant.
A particularly noteworthy aspect of the AIQ enforcement action is the location of the company. GDPR has worldwide application where the data relates to individuals within the EU. AIQ is a Canadian company, so it is evident that non-European companies are not outside the scope of the GDPR and will receive the same level of scrutiny as UK and EU based companies.
What should my organisation be doing?
The action taken against AIQ demonstrates the broad scope of the GDPR and the ICO’s pro-active approach in holding organisations to account. In order to avoid the penalties and damaging publicity attached to a GDPR breach, companies need to constantly review how they handle and process data, and gain a clear understanding of GDPR to avoid becoming the next recipient of an enforcement notice. These reviews need to be reflected throughout the organisation so that systems and processes are GDPR compliant and staff receive regular GDPR training.
Take a look at the GDPR page on our website for more guidance.
This blog post was written by associate Sarah Souter and paralegal Katie Rice. For further information, please contact:
Sophie Brookes, partner, Corporate team
T: 0161 836 7823