If you thought advice on the GDPR was a conspiracy by lawyers to extract more fees from gullible risk-averse clients, because well, we're in Australia, think again.
A company based in Canada just got slapped with enforcement notices by the UK's Information Commissioner's Office.
AggregateIQ Service Ltd was involved in processing personal data collected during the UK's Brexit referendum. It turns out they were processing personal information in a way that data subjects were not aware of, for purposes which they never would have expected, and without a lawful basis for that processing. The processing was incompatible with the purposes for which the data was originally collected, and the breaches were considered likely to damage or distress the individuals involved. Pretty damning stuff in the world of data protection. The notices require AggregateIQ to get their act together, or else (the or else being a fine of up to EUR 20 million or 4% of worldwide turnover, whichever is higher).
But we're interested because these are the first enforcement notices that have been issued to a company based outside of the EU. The UK ICO said the GDPR applied to AggregateIQ because it was monitoring the behaviour of data subjects based in the EU (in this case the UK). If you offer goods or services to, or monitor the behaviour of, people in the EU the laws apply to you.
There can be no doubt now that EU regulators will be prepared to enforce the GDPR against companies outside of the EU.
What to do? We have an excellent summary here
We do not disclaim anything about this article. We're quite proud of it really.