Brexit data firm hit with the first formal notice under GDPR

• Data retained to run Brexit election social media campaign was not secured

• The personal data was accessed by an unauthorised third party

• AIQ must stop processing data received from the political organisations

Aggregate IQ Data Services (AIQ) has been issued with the first formal notice under the new data regulations. As part of AIQ’s contract with several political organisations, the company was provided with personal data including names and email addresses of UK individuals. The personal data was used to target individuals with political advertising on social media.

AIQ confirmed on 31st May 2018 that the personal data was still held by them. The data was stored on a code repository and had been subject to unauthorised access from a third party.

The Information Commissioner’s Office (ICO) decided that the controller had failed to comply with Articles 5 (1)(a)-(c) and Article 6 of the GDPR. AIQ processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected. The processing was incompatible with the purposes for which the data was originally collected.

AIQ failed to comply with Article 14 of GDPR as they did not provide data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) applied.

The ICO decided that the failure has caused or is likely to cause any person damage or distress, therefore it has served an Enforcement Notice. AIQ must cease processing any personal data of UK citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or advertising purposes.