The UK's data protection regulator has served its first GDPR notice to Canadian firm AggregateIQ (AIQ) – one of the companies hired by Vote Leave to target online ads to voters ahead of the 2016 EU referendum.
The Information Commissioner's Office (ICO) has accused AIQ of processing people's data "for purposes which they would not have expected" after the May 25 GDPR deadline.
AIQ has already lodged an appeal, telling the BBC: "We appealed the enforcement notice to the first level tribunal [a legal mechanism for challenging ICO notices]."
The notice marks the first GDPR official warning that the ICO has issued since the sweeping regulations came into force four months ago.
AIQ has been associated with Cambridge Analytica (which it has denied). It's also been linked to a number of pro-Brexit clients, including Northern Ireland's Democratic Unionist Party and Veterans for Britain.
It was paid £2.7m by Vote Leave to target ads at potential voters in the run up to the Brexit vote.
While this data was collected before the GDPR implementation, the ICO is concerned about the way it's been retained and processed since.
“The commissioner has been in contact with AIQ regarding the processing of personal data by AIQ regarding the processing of personal data by AIQ on behalf of UK political organisations, in particular Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave,” the ICO said in the notice.
“In correspondence with the commissioner dated 30 May 2018 AIQ confirmed that personal data regarding UK individuals was still held by it. This data is stored on a code repository and has previously been subject to unauthorised access by a third party.”
Under GDPR, EU regulators can issue fines of up to £20m or 4% of annual turnover (whichever is higher) on organisations that fail to meet standards around data protection, processing, consent and more.
Earlier this year, 45% of UK marketers said they were setting aside money for potential fines.