By JP Buckley

In just a short space of time, the ever-evolving world of data protection and cyber has seen yet more change:
1. Potentially one of the last enforcement actions under the Data Protection Act 1998 against Equifax – and a maximum £500,000 fine for them for failing to secure UK citizens’ personal data against breach. This is against the UK part of the organisation but for its failure to secure the data while being held by the US-based group company.

2. News of the first enforcement notice from the ICO against Canada’s Aggregate IQ – the organisation that assisted with the profiling and targeting of adverts to gain support for Vote Leave. Interestingly, the notice lists a range of non-compliances including processing without a lawful basis, and failing to provide transparency information to the individuals whose data it was. The notice requires the data processing to be ceased, and it is dated 6 July but was only reported in the media on 20 September. Aggregate IQ have filed a notice to appeal the enforcement notice. We wait to see what happens next. This is, of course, all part of the deeper investigation into political campaigning which has been ongoing with the ICO for some months and has already resulted in fines for Vote Leave itself and Emma’s Diary.