It was reported that the Information Commissioner’s Office (ICO) has handed the United Kingdom’s first formal General Data Protection Regulation notice to a Canadian firm linked to Cambridge Analytica, the firm behind the Facebook data scandal. AggregateIQ (AIQ) was accused of processing people’s data “for purposes which they would not have expected”. The ICO said that although the data was gathered before 25 May, when the GDPR regulations came into effect, it was concerned about the “continued retention and processing” of data after that date. This, it said, meant GDPR applied to AIQ’s handling of that information.
Adam Brown, Manager of Security Solutions at Synopsys:
“AIQ will need to provide evidence of user data consent given by each EU resident they have on record. Thus proving that AIQ has permission to keep and process those records.
The issuance of the GDPR notice will be highly charged politically. While that shouldn’t make any difference to the ICO’s assessment, it will be interesting to see what fine—if any—is levied. The potential fines could ruin a small to medium-sized firm.”