A Mandy Rice-Davies moment ...
"has always denied having a closer relationship than that of software developer and client" - "Well they would say that, wouldn't they?"
SCL Elections Ltd, the parent company of controversial data-mining outfit Cambridge Analytica, yesterday pleaded not guilty to a criminal charge of ignoring the Information Commissioner's Office. The company has been charged by the UK's data regulator with one count of failing to comply with an enforcement notice, a criminal …
Actually that admission is a monstrous error by AIQ. There's probably a memo winging its way from their lawyers to their PR snowflakes telling them something like "shut your mouth moron".
If it is true they have admitted CA is their client in their capacity as a software developer, then they likely process or have processed personal data (by way of test datasets) as either a processor or joint controller, and thus likely are engaged by the GDPR.
.
Further or alternatively, if it is true they have admitted they are a client of CA, then they have admitted processing personal data generally, as a controller, and thus likely are engaged by the GDPR.
Both ways, from 30 days subsequent to data subject right enforceability (i.e. 25 June 2018) they likely already have infringed the data subjects' GDPR rights in circa 25+ ways per data subject, simply from not providing a privacy Notification to all affected data subjects, even by way of placing on their web site a url link to a generalized Notification (pathetically implausible but everyone will do it until they get punished for it).
The unique thing about GDPR litigation is that, once GDPR is engaged by the Defendant (which AIQ constructively may have admitted), all legal burdens of proof are reversed (if you don't appreciate the implications of that, just ask any mass tort lawyer).
Nothing said above is legal advice.