Crystal N. Lowery
Loyola University Chicago School of Law, JD 2020
On July 6, the Information Commissioner’s Office (ICO) issued their first Enforcement Notice to AggregateIQ (AIQ) under the General Data Protection Regulation (GDPR) and the United Kingdom’s Data Protection Act (DPA). The GDPR is a law regulating data protection and privacy as well as the export of personal data outside of the European Union (EU). It became enforceable on May 25, 2018. The DPA supplements the GDPR and regulates the processing of personal data. The ICO is a regulatory office in the UK which enforces regulations under the DPA and GDPR. AIQ is a Canadian digital advertising, web and software development company that was charged with violations regarding the use of data analytics in political campaigning. This article will address the AIQ enforcement notice and how companies ensure compliance with the GDPR to prevent receipt of an enforcement notice.
What are the ICO’s concerns and AIQ’s Requirements?
In May 2017, the ICO began a formal investigation of AIQ’s use of data analytics in their work with UK political organizations. AIQ obtained, at a minimum, the names and email addresses of UK citizens and used their personal data in targeted political advertising on various social media platforms. The personal data was stored by AIQ for more than a year and was subjected to unauthorized access by third-parties. Although the data was collected before the GDPR was enacted, the ICO alleges that the data continued to be held after the GDPR went into effect.
The ICO found that AIQ was not in compliance with regulations of the GDPR, which require personal data to be processed with lawfulness, fairness and transparency; collected for explicit purposes; and must be relevant and limited only to what is necessary. The GDPR further defines lawfulness as meeting specified requirements under Article 6. The ICO found that AIQ “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis.” AIQ failed to comply with Article 14 of the GDPR because AIQ did not provide the data subjects with a full disclosure of what data was collected, how it would be used, who would use it, and how it would be destroyed. The ICO also found that damage or distress could result from AIQ’s misuse of personal data and failure to comply with GDPR regulations.
AIQ is required to “cease processing any personal data of UK or EU citizens … for the purposes of data analytics, political campaigning or any other advertising purposes” within 30 days or face penalties up to 20 million Euros or 4% of annual worldwide turnover, whichever is higher. For AIQ, a company that works primarily in the processing of personal data for political campaigns, this could mean the end of the organization.
Ensuring Compliance with the GDPR
The GDPR focuses on ensuring data privacy for EU and UK citizens and monitoring companies’ use of personal data. Companies are now being held accountable for their compliance with these regulations. Many companies are concerned about their ability to comply with the multitude of regulations under the GDPR after the ICO started issuing enforcement notices. With limited exceptions, every company that processes data of UK or EU citizens must comply with the GDPR. In addition to enforcement, the ICO assists companies with abiding by GDPR regulations by providing self-assessment checklists to ensure compliance is met. All companies should start by familiarizing themselves with GDPR and DPA regulations and then audit current company practices. The audit should include an assessment of whose data is being processed, where it is being stored, and how it is being disposed.
Next, the compliance department must write and implement policies and procedures to reflect the requirements of the GDPR. The GDPR requires companies to establish a Controller, a Processer, and Data Protection Officer (DPO) to monitor compliance with the privacy regulations under the GDPR. The Controller determines the lawful purposes of processing data. The Processor is responsible for processing the personal data, maintaining records, and assumes liability in the event of a breach. The policies and procedures must establish what data is being processed and how it is being processed, stored, and disposed. Furthermore, the policies and procedures should also include GDPR approved codes of conduct for employees who work with personal data, and such employees should be trained on the updated regulations. The policies and procedures must be comprehensive and include company policy on obtaining and maintaining consent agreements to process data, the provision of privacy notices, and data retention policy.
Internal monitoring, auditing, and corrective actions are mandatory under the GDPR. Monitoring and auditing should ensure that confidentiality and privacy of data is maintained and a Data Protection Impact Assessment (DPIA) should be conducted. The DPIA assess the level of risk to individuals in processing their data and establishes measures to minimize the risk. If there is a high risk that cannot be mitigated by the DPO or Processor, the ICO must be consulted prior to processing data. If a breach occurs which may impact a person’s rights under the GDPR, the ICO must be informed within 72 hours of the breach, and depending on the severity of breach the individuals affected must also be notified. Failure to notify the ICO can result in a large fine or other penalties enforced by the Supervisory Authorities.
Although the comprehensive requirements under the GDPR are overwhelming for some companies, the goal of the ICO is not to penalize companies but to protect personal data privacy. In fact, the ICO encourages companies to utilize the self-assessment checklists and consult whenever the regulations are unclear or need further explanation. Under these regulations, companies should feel secure in their use of personal data and EU or UK citizens should feel secure in companies using their data for only specified means.