After taking a week’s breather, it’s again an action by the ICO that draws my attention. On Tuesday, the ICO issued an enforcement notice to Experian. Experian was one of three credit reference agencies that the ICO has been auditing for the last two years after a complaint from Privacy International. As I’ve mentioned in previous weekly digests, once again we have a third party driving an enforcement of the GDPR and once again we have the ICO using an enforcement action with the threat of a fine to drive corrective action as opposed to immediately issuing a fine.
The Pitfalls of Using Personal Data in Direct Marketing
The investigation was looking at the agencies, data brokering businesses and how they were using personal data for offline direct marketing. The scale and the impact of credit reference agencies is substantial. Paragraph 19 of the notice states that Experian’s two primary databases held entries on over 95% of all UK adults mostly without their knowledge. The data was enriched with up to 500 attributes and then solid to businesses, charities and political parties who used it to target specific individuals. To be clear this business is not illegal and can be very positive for both businesses and individuals. What is illegal is the “without their knowledge” part.
The notice included 5 specific contraventions, but the following three are the most noteworthy:
- Lack of transparency about processing – Article 5(1)(a)
- Failing to inform individuals that Experian had obtained their personal data and was using it for direct marketing – Article 14
- Improperly assessing the lawful basis of processing – they specifically relied on legitimate interest for processing when the third parties they obtained personal data from were using consent – Article 6(1)
The ICO seems to want to have used this investigation to communicate some clear messages. It went so far as to publish a thorough report of its investigation. I think this approach is laudable. By shining a light into dark places it can both make the public aware of these services and their rights regarding direct marketing, while at the same time making customers of data brokers aware of the due diligence they need to undertake when working with these services.
Putting it all together: Data brokering, direct marketing and the GDPR
So if the ICO is trying to educate us by releasing this report, what are the lessons? Just to be clear, I’m thinking especially of businesses that might be using data brokerage services – not individuals. Although, I’d be happy to have that conversation with anyone who is interested. I think they’re five-fold.
Clear Privacy Notices
They are re-iterating the importance of having clear, accurate privacy notices at the point of data collection. If you’re using a data brokerage service, take the time to read their privacy notice. Is it clear from reading it their sources of the personal data and how they’re using it? If it’s not clear how they’re collecting the personal data they’re using – including from which sources – how it’s being processed and how it’s being sold, then you need two have a deeper conversation with them to ensure they’re actually compliant.
No invisible processing – informed processing only
If personal data is being collected from third sources and then are processing that personal data by appending data to it and then selling it on – have they informed those individuals? Article 14 is extremely clear that if personal data is being obtained by a third party – the people whose data was obtained need to be informed by the data broker within a month of the data broker obtaining their data. The ICO is being very clear that data brokers need to make sure that individuals are informed. If their data sources aren’t clear about it in their privacy notices, then the data brokers must inform the individuals. To ensure compliance, this may require asking the data broker specifically whether how it complies with Article 14 or an audit of all the privacy notices of its data sources.
Data collected for one purpose can’t be used for another
It’s important to note that the ICO was clear in calling out the credit reference agencies for taking the data it collected for credit referencing purposes and using it for direct marketing purposes. The agencies were required to make significant changes and in some cases where they couldn’t, they had to terminate some products. Make sure you’re not mingling data collected for one purpose with data collected for another purpose. Just because your company has the data doesn’t mean it can use it however it chooses.
Careful with consents
If a data broker is receiving personal data from a third party whose lawful basis for processing is consent, that consent doesn’t automatically extend to beyond the collecting entity. If you’re working with a data broker who’s used consent then be very very careful. It’s most likely the consent they obtained cannot be relied upon by your company.
Careful with legitimate interest
Since data brokering was part of the agencies business, they were relying on legitimate interest to justify their processing. The ICO specifically stated that when doing LIAs the quantity of personal data being processed, the profiling and the transparency of the processing all need to be consider in relation to the freedoms of the individuals. Given the scale – 95% of the UK’s population – the sophistication of the profiling – 500 attributes – and the lack of transparency – most people are unaware credit reference agencies are selling their data – then the legitimate interest doesn’t balance against the rights and freedoms of individuals and cannot be used. So if you’re using legitimate interest make sure you consider the impact of your action on the people who’s data your processing and justify it objectively.
If you’re working with a data broker or even undertaking your own direct marketing take some time to read the full report. I’m sure you’ll find other bits of guidance from the ICO which will help make sure you’re conducting business in a way the benefits your business as well as your clients.
GDPR365 offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR). Click now on the button below to book a demo and see our software can speed up your compliance.