Try this for a bad day at the office! Canadian company Aggregate IQ ServicesLimited recently received an Enforcement Notice from the UK Information Commissioner demanding that:
“AIQ shall within 30 days of this notice: Cease processing any personal data of any UK or European citizens obtained from UK political organisations or otherwise for the purpose of data analytics, political campaigning, or any other advertising purposes”.
I am sure their management had a few sleepless nights over this. An EU Privacy regulator flexing her very powerful rights under GDPR. This case will be a good test of the regulators’ powers to enforce GDPR in countries outside of the EU, especially as AIQ did not have a “representative” appointed under Article 27. (Businesses outside of the EU are required to have a “representative” in most cases if the business’processing of the relevant EU personal data was subject to GDPR. Fines of up to€10m or 2% of worldwide turnover apply for breach of this requirement).
Be warned, the EU regulators have the power to force non-compliant businesses to stop processing EU personal data, as well as the power to issue multi million Euro fines.