The ICO has issued a report and an enforcement notice following its investigation into data protection compliance in the (offline) direct marketing data broking sector.

There is a lot to unpick in the documents beyond the obvious points on compliance issues. This includes useful insights on the ICO’s views and approaches on enforcement and assessments - no shying away from pointing the finger at Experian for allegedly failing to comply voluntarily and more fully earlier for example. However, it is also a report which is likely to make many brands feel even more confused about what they can do with acquired datasets, so I digest some of the takeaways below.

What was the investigation about?

Data broking (or ‘brokering’ in the US) involves collecting data about individuals from a variety of sources, then combining it and selling or licensing it to other organisations. It is an age old industry and one which has been scrutinised before by data protection regulators. In this latest investigation, the ICO conducted audits of the direct marketing data broking businesses of the three largest credit reference agencies (CRAs) in the UK. It found that, between these three CRAs, the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced without their knowledge. Some of the CRAs were also using profiling to generate new or previously unknown information about people. This processing was used for the creation of products which were used by commercial organisations (for marketing purposes), political parties (for campaigning purposes) or charities (for fundraising purposes) to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

It is also important to flag what this investigation is not about. It did not concern online advertising (it doesn’t even mention email marketing which such datasets are commonly used to enhance) given there is a separate and highly publicised investigation already ongoing in that area focusing on real time bidding.

What are the Findings?

The ICO’s key findings and concerns were as follows:

Transparency

– the CRAs’ privacy notices did not clearly explain how personal data was collected and used in data broking direct marketing activities. The ICO said “mass processing of personal data for these [data broking] purposes, without adequate transparency, is out of line with the reasonable expectations of the public”.

Invisible processing

– the CRAs were not providing appropriate privacy information directly to all the individuals for whom they held personal data in their capacity as data brokers for direct marketing purposes. Where individuals are not aware that their data is being processed, this is called ‘invisible processing’ and has always been a high risk area.

Lawful basis

– the CRAs were using personal data collected for credit referencing purposes for limited direct marketing purposes without clearly explaining this to individuals or collecting consent. Where consent had been collected, it was often invalid as it did not meet the high GDPR-standard of consent. Where legitimate interests was relied on for direct marketing services, legitimate interests assessments were not properly completed. Further, in some cases, the CRAs would obtain data on the basis of consent and then switch to process the data on the basis of legitimate interests.

What are the consequences for the CRAs?

Two of the CRAs investigated have now voluntarily ceased the supply of non-compliant products and services, and the other has been issued with an enforcement notice to make ‘fundamental changes’ to how it handles personal data within its direct marketing services. It has until July 2021 to make such changes, subject to any appeal which is likely.

As part of the enforcement notice, the CRA has been ordered to delete any data supplied to it on the basis of consent that it is subsequently processing on the basis of legitimate interests – ie in providing additional products and services. The ICO report makes it clear that “where personal data is collected by a third party and shared for direct marketing purposes on the basis of consent, then the appropriate lawful basis for subsequent processing for these purposes will also be consent”.

What are the wider consequences and what action should you take?

CRAs were always a likely target for investigation given the large datasets and onward processing. Use cases for political parties and by others for enhanced direct marketing make them an even more obvious target given historical sensitivities there too. But this isn’t all doom and gloom and certainly not the end of a sector since the ICO also recognised in its report that data broking can be positive for both businesses and individuals, and that the data broking sector provides a valuable service to support organisations across the UK.

Key practical things to note:

The ongoing investigation is not limited to CRAs. The ICO is continuing to look into the direct marketing services of three other data brokers who do not operate as CRAs, and intends to carry out ‘further investigative, engagement and educational work’ to ensure that data broking activities comply with data protection law. Those in the data broker space should consider their activities in light of the criticisms, particularly around transparency and clear identification of lawful basis relied on.

Companies using data brokers aren’t being told they can’t as a result of this report but, given the scrutiny from the report should:

• Consider undertaking data protection impact assessments when obtaining new data from data brokers in order to set out assessments of protections, the information given to data subjects at the time and the validity of any lawful basis that the company intends to rely on for further processing. Many companies would already do this anyway but the report and enforcement notice make this more important.
• Consider retrospective data protection impact assessments or updated impact assessments on existing datasets which have been obtained from these sources.
• Make sure information provided to data subjects about the source of personal data and its use is clear and transparent – a good time to check privacy notices again.
• The report is not saying that legitimate interests can’t be relied on. However, relook at any legitimate interests assessments undertaken for large data set profiling and data matching. The ICO was unimpressed by the lack of objectivity in those of the CRAs which it looked through.
• Be aware of the genuine difficulties of any reliance on consents obtained by others. Not a new point but a reminder that it will rarely meet the thresholds for valid GDPR consent.
• Keep on top of the interrelated guidance from the ICO including its long awaited draft marketing and data sharing codes of practice – which contains detailed provisions on datamatching which provide useful tips on the expectations of the ICO in this are. The ICO’s report reminds readers these are on the way but does not yet give a date for when these will be laid before Parliament.