The European Union’s General Data Protection Regulation went into effect on May 25th of this year, requiring companies to report data breaches with 72 hours of the incident. Failure to comply with the regulation could lead to a fine of up to €20 million or four percent of annual global turnover, whichever option is higher. The preceding policy—the Data Protection Act 1998—limited the highest fine to €500,000.
This regulation takes a hard stance against companies lacking in transparency and not taking adequate measures to store citizens private information. Facebook’s involvement in a recent data scandal, which led to the personal information of 87 million citizens’ data being used without their consent, earned them their first GDPR notice, according to ZDNet.
Since the new policy went into effect, the UK’s Information Commissioner’s Office (ICO) receives about 500 calls a week reporting data breaches, but they have yet to issue a fine. They sent out their first GDPR-related notice to AggregateIQ Data Services (AIQ) back in July, but the notice was only discovered recently by the legal firm Mishcon De Reya.
AIQ was a provider of software and tools for the Facebook-Cambridge Analytica data breach making them the target of the ICO’s investigation “into the use of data analytics in political campaigns.” AIQ claims to still be in possession of EU citizen data, which the ICO says has been done without those citizens’ consents.
“The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing,” said the ICO, who has given the AIQ 30 days to comply with their requirement to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”