THE INFORMATION COMMISSIONER'S OFFICE (ICO) has slapped Leave.EU and Arron Banks' insurance firm with fines totalling £120,000 for "serious breaches" of electronic marketing laws.
We knew this was coming; the watchdog announced in November that it intended to fine the two companies, which it on Friday said concluded "closely linked" and had "ineffective" systems in place for segregating the personal data of insurance customers' from that of political subscribers.
Leave.EU was fined £15,000 for using Eldon Insurance customers' details unlawfully to send almost 300,000 political marketing messages, and a further £45,000 for its part in sending an Eldon marketing campaign to political subscribers. Eldon was fined £60,000 for the breach.
The ICO also announced that it will audit both Leave.EU and Eldon Insurance, and an assessment notice issued to the firms allows the watchdog to access Leave.EU and Eldon's joint offices, staff, and documentation.
The ICO says it plans to examine the companies' data protection practices, including how personal data is processed, and the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers.
Elizabeth Denham, Information Commissioner said: "It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.
"We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers' personal information."
The assessment notices allow the ICO access to Leave.EU and Eldon's joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.
Today's fine comes after the ICO issued the first GDPR notice to AggregateIQ, a company that profiled voters using data improperly acquired from Facebook.
Promises that it wasn't used without permission
Data-sniffing malware could snaffle up one password to rule them all
If you can't beat em, sync em
Fixing the old, creating the new