The Information Commissioner’s Office (ICO) has published a “Direct Marketing Detailed Guidance”, further to an investigation into data protection compliance in the field of direct marketing data brokering organisations, and the organisations which use the marketing services of such data brokers.
Below we’ve summarized the guidance. 👇
Please see ICO’s official site for the published “Direct Marketing Detailed Guidance”
Data collection from many sources is combined, then sold or rented to other organizations in the process of data broking for direct marketing reasons:
- selling lists of contact details;
- selling copies of the open electoral register;
- profiling and data enrichment (eg adding data to the profile you already hold people);
- data matching (eg providing phone numbers for people who you only hold address details for);
- data cleansing and tracing (eg removing deceased records from your database and tracking down new contact details for people);
- screening services (eg screening the telephone numbers you hold against the Telephone Preference Service); and
- audience segmenting or other profiling (eg identifying target sub-groups within an audience for tailored messaging).
You must keep in mind that you are responsible for ensuring that your processing of personal data complies with data protection law if you use or intend to use the marketing services of data brokers.
You must perform the necessary due diligence to confirm that the personal data given to you conforms with data protection law before using data broking services.
Due diligence could include ensuring you have certain details such as:
- Who compiled the data – was it the data broker you are buying it from or was it someone else?
- Where was the data obtained from – did it come from the individuals directly or has it come from other sources?
- What privacy information was used when the data was collected – what were individuals told their data would be used for?
- When was the personal data compiled – what date was it collected and how old is it?
- How was the personal data collected – what was the context and method of the collection?
- Records of the consent (if it is ‘consented’ data) – what did individuals consent to, what were they told, were you named, when and how did they consent?
- Evidence that the data has been checked against opt-out lists (if claimed) – can it be demonstrated that the TPS or CTPS has been screened against and how recently?
- How does the data broker deal with individuals’ rights – do they pass on objections?
You must be honest and upfront with consumers about what you intend to do with their personal information, including when and where you plan to employ data brokering services to gather more information about your clients or create profiles of them.
Before requesting data from a data brokering service, make sure you have an appropriate legal basis.
