Canadian firm AggregateIQ has received the UK’s first formal notice under the EU’s new General Data Protection Regulation. The UK regulator is clearly willing to take enforcement action, and businesses should review how they handle data - including data collected before the GDPR came into force.

AIQ is a small data firm that uses data to target advertisements at voters online. Earlier this year, AIQ found itself surrounded by controversy when whistleblower Chris Wylie alleged AIQ was linked to UK data firm Cambridge Analytica (which AIQ denies).

The Information Commissioner’s Office found that AIQ had violated the GDPR by failing to be transparent about its use of personal data when it micro-targeted voters on social media, using data received from the Vote Leave campaign. Although the data was gathered before the GDPR came into effect on 25 May 2018, AIQ continued to retain and process the data after that date.

The case is also a useful reminder of the fact that the GDPR regulates many non-EU businesses: AIQ falls within the scope of GDPR, as the data subjects monitored are based in the EU and the markets targeted are European. The GDPR’s territorial scope is a hot issue for many businesses, who will welcome this week’s announcement that EU regulator guidance will soon be published.

AIQ has said it will appeal the notice.