After GDPR coming into force, it was assumed the big players – multinational companies were the first to receive sanctions. However, first action (filed in July and disclosed on September), the Enforcement Notice, was towards AggregateIQ Data Services Ltd (AIQ) . Canadian political consultancy and data analytics company with 20 employees. It helped develop the algorithm used by Cambridge Analytica to target Facebook users in the 2016 US presidential election.
AIQ investigation, run by ICO, started before the GDPR’s effective date. The question was whether the company violated the privacy laws of Canada and British Columbia. At the time, AIQ refused to answer the ICO’s inquiries, claiming the UK agency had no jurisdictional hook to use against the Canadian company. However, the GDPR implicates data controllers and data processors anywhere in the world. Meaning, if a company collects or processes data of people in the European Economic Area, they have to comply with GDPR. Therefore, the ICO found an angle to pursue action against AIQ.
LEARNING TIP: Even if your company is based outside EU, GDPR rules still may apply. Meaning that, businesses that are dealing with EU market and processing EU citizens’ personal data (collects, stores or uses), must comply with GDPR.