{"id":2030,"date":"2018-10-25T11:41:53","date_gmt":"2018-10-25T16:41:53","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=2030"},"modified":"2018-10-25T11:41:53","modified_gmt":"2018-10-25T16:41:53","slug":"the-first-gdpr-enforcement-notice","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=2030","title":{"rendered":"GDPR Enforcement Notice to AggregateIQ"},"content":{"rendered":"

Crystal N. Lowery <\/em><\/p>\n

Associate Editor<\/em><\/p>\n

Loyola University Chicago School of Law, JD 2020<\/em><\/p>\n

 <\/p>\n

On July 6, the Information Commissioner\u2019s Office (ICO) issued their first Enforcement Notice<\/a> to AggregateIQ (AIQ) under the General Data Protection Regulation (GDPR)<\/a> and the United Kingdom\u2019s Data Protection Act (DPA)<\/a>. The GDPR is a law regulating data protection and privacy<\/a> as well as the export of personal data outside of the European Union (EU). It became enforceable on May 25, 2018. The DPA supplements the GDPR and regulates the processing of personal data<\/a>. The ICO is a regulatory office in the UK which enforces regulations under the DPA and GDPR. AIQ is a Canadian<\/a> digital advertising, web and software development company that was charged with violations regarding the use of data analytics in political campaigning. This article will address the AIQ enforcement notice and how companies ensure compliance with the GDPR to prevent receipt of an enforcement notice.<\/p>\n

 <\/p>\n

What are the ICO\u2019s concerns and AIQ\u2019s Requirements? <\/strong><\/p>\n

 <\/p>\n

In May 2017, the ICO began a formal investigation of AIQ\u2019s<\/a> use of data analytics in their work with UK political organizations. AIQ obtained, at a minimum, the names and email addresses of UK citizens and used their personal data in targeted political advertising<\/a> on various social media platforms. The personal data was stored by AIQ for more than a year and was subjected to unauthorized access by third-parties. Although the data was collected before the GDPR was enacted, the ICO alleges that the data continued to be held after the GDPR went into effect.<\/p>\n

 <\/p>\n

The ICO found that AIQ was not in compliance with regulations of the GDPR, which require personal data to be processed<\/a> with lawfulness, fairness and transparency; collected for explicit purposes; and must be relevant and limited only to what is necessary. The GDPR further defines lawfulness as meeting specified requirements under Article 6<\/a>. The ICO found<\/a> that AIQ \u201cprocessed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis.\u201d AIQ failed to comply with Article 14<\/a> of the GDPR because AIQ did not provide the data subjects with a full disclosure of what data was collected, how it would be used, who would use it, and how it would be destroyed. The ICO also found that damage or distress could result from AIQ\u2019s misuse of personal data and failure to comply with GDPR regulations.<\/p>\n

 <\/p>\n

AIQ is required<\/a> to \u201ccease processing any personal data of UK or EU citizens \u2026 for the purposes of data analytics, political campaigning or any other advertising purposes\u201d\u00a0 within 30 days or face penalties<\/a> up to 20 million Euros or 4% of annual worldwide turnover, whichever is higher. For AIQ, a company that works primarily in the processing of personal data for political campaigns, this could mean the end of the organization.<\/p>\n

 <\/p>\n

Ensuring Compliance with the GDPR\u00a0 \u00a0<\/strong><\/p>\n

 <\/p>\n

The GDPR focuses on ensuring data privacy for EU and UK citizens and monitoring companies\u2019 use of personal data. Companies are now being held accountable for their compliance with these regulations. Many companies are concerned about their ability to comply with the multitude of regulations under the GDPR after the ICO started issuing enforcement notices. With limited exceptions<\/a>, every company that processes data of UK or EU citizens must comply with the GDPR. In addition to enforcement<\/a>, the ICO assists companies with abiding by GDPR regulations by providing self-assessment checklists<\/a> to ensure compliance is met. All companies should start by familiarizing themselves with GDPR<\/a> and DPA regulations<\/a> and then audit current company practices. The audit should include an assessment of whose data is being processed, where it is being stored, and how it is being disposed.<\/p>\n

 <\/p>\n

Next, the compliance department must write and implement policies and procedures to reflect the requirements of the GDPR. The GDPR requires companies to establish \u00a0a Controller, a Processer<\/a>, and \u00a0Data Protection Officer (DPO)<\/a> to monitor compliance with the privacy regulations under the GDPR. The Controller determines the lawful purposes of processing data<\/a>. The Processor is responsible for processing the personal data, maintaining records<\/a>, and assumes liability in the event of a breach. The policies and procedures must establish what data is being processed and how it is being processed, stored, and disposed. Furthermore, the policies and procedures should also include GDPR approved codes of conduct<\/a> for employees who work with personal data, and such employees should be trained on the updated regulations. The policies and procedures must be comprehensive and include company policy on obtaining and maintaining consent agreements to process data, the provision of privacy notices, and data retention policy.<\/p>\n

 <\/p>\n

Internal monitoring, auditing, and corrective actions are mandatory under the GDPR. Monitoring and auditing should ensure that confidentiality and privacy of data is maintained and a Data Protection Impact Assessment (DPIA<\/a>) should be conducted. The DPIA assess the level of risk to individuals in processing their data and establishes measures to minimize the risk. If there is a high risk that cannot be mitigated by the DPO or Processor, the ICO must be consulted prior to processing data. If a breach<\/a> occurs which may impact a person\u2019s rights under the GDPR, the ICO must be informed within 72 hours of the breach, and depending on the severity of breach the individuals affected must also be notified. Failure to notify the ICO can result in a large fine or other penalties<\/a> enforced by the Supervisory Authorities.<\/p>\n

 <\/p>\n

Although the comprehensive requirements under the GDPR are overwhelming for some companies, the goal of the ICO is not to penalize companies but to protect personal data privacy. In fact, the ICO encourages companies to utilize the self-assessment checklists and consult whenever the regulations are unclear or need further explanation. Under these regulations, companies should feel secure in their use of personal data and EU or UK citizens should feel secure in companies using their data for only specified means.<\/p>\n","protected":false},"excerpt":{"rendered":"

On July 6, the Information Commissioner\u2019s Office (ICO) issued their first Enforcement Notice to AggregateIQ (AIQ) under the General Data Protection Regulation (GDPR) and the United Kingdom\u2019s Data Protection Act (DPA). The GDPR is a law regulating data protection and privacy as well as the export of personal data outside of the European Union (EU). It became enforceable on May 25, 2018. The DPA supplements the GDPR and regulates the processing of personal data. The ICO is a regulatory office in the UK which enforces regulations under the DPA and GDPR. AIQ is a Canadian digital advertising, web and software development company that was charged with violations regarding the use of data analytics in political campaigning. This article will address the AIQ enforcement notice and how companies ensure compliance with the GDPR to prevent receipt of an enforcement notice. <\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[731,936,1623],"class_list":["post-2030","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-enforcement","tag-gdpr","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2030"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2030\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}