The ICO has conducted an investigation into data protection compliance in the data broking sector, specifically the provision of offline marketing services by the credit reference agencies operating in the UK.
The Commissioner has issued Experian Limited with an enforcement notice ordering it to make changes to how it processes personal data for marketing services. The ICO has also published a report into the investigation.
Many organisations will have used the marketing services of the credit reference agencies (CRAs) or may wish to use such services. Any organisation using these and other data broking services must ensure that they comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
As well as these frequently asked questions there is specific guidance for customers or users of data broking services to remind them of their data protection obligations.
Why did you only take action against one of the CRAs?
We told all three CRAs of our intention to enforce our audit findings and issued them with preliminary enforcement notices outlining the steps we intended to require of them and invited their representations.
After substantial engagement with the three CRAs, Equifax and TransUnion made sufficient changes that an enforcement notice was no longer required in order to achieve compliance. This included both improvements to processes, and stopping certain uses of personal data.
How will you check that the CRAs have complied?
We have already carried out checks to ensure that TransUnion and Equifax have complied with the requirements made of them. These were made on the basis of evidence supplied to us by each organisation, including updated procedures, documentation and records of decisions.
Where an enforcement notice is issued, the ICO has a number of tools available to ensure that the requirements set out by the notice have been met within the specified timeframe. This could include a similar review of evidence as mentioned above, or a follow up audit.
If an organisation fails to comply with an enforcement notice, they can be subject to further regulatory action including a fine of up to 20,000,000 EUR or 4% of their global annual turnover.
Are you looking at the rest of the data broking industry?
Yes – we continue to develop our understanding of the industry and will take action where necessary and appropriate.
We have audited three other data broking organisations. We will publish our audit summaries for these three data brokers and communicate any further findings once this work is completed.
The ICO remains committed to pursuing other related work, including our investigation into adtech and real time bidding, within which data brokers have a role, and we will continue to investigate complaints about direct marketing.
We hold data that we previously obtained from the data broking services of the CRAs, does this mean that we can’t use that data anymore?
Not necessarily, but you do need to check that it complies with the GDPR. For example you should review the due diligence and compliance checks that you did before you obtained the data.
If the personal data you obtained, and your use of it, complies with the GDPR then you can continue to process it.
If, however, your checks reveal that the personal data is not compliant with the GDPR you must take steps to ensure that it does comply, but if this is not possible you must stop using it.
Does this mean that we can’t use the data broking services of the CRAs anymore?
No, we are not saying that organisations must stop using the data broking services of the CRAs or other data brokers.
However you must continue to ensure that you undertake appropriate due diligence to check that the personal data you intend to obtain, or the service you intend to use, complies with the GDPR – you must be able to demonstrate your compliance and be accountable.
The data we’ve bought from a data broker was ‘postcode’ level data, does this mean we don’t need to do anything because we didn’t buy personal data?
‘Postcode’ level data is data on the presumed attributes based on social and lifestyle factors of people who live in a particular postcode or area.
Whilst such ‘postcode’ level data may not be personal data as it is sold or rented from a data broker it can become personal data depending on what you do with it. For example if you buy ‘postcode’ level data from data brokers and then these attributes are linked to your customers or supporters then this data will become personal data. This means that the normal data protection rules will apply once you add this data to your customers’ or supporters’ data. For example, you must have told people about this processing and it must be fair and lawful.
Can we still use the credit referencing services of these CRAs?
Yes – you can still use the CRAs for credit referencing as normal. Our investigation and action relates to very specific aspects of the CRAs processing, focusing on their data broking for direct marketing activities.
Where can we find further information and guidance on how to comply?
We have published specific guidance for organisations using the services of data brokers.
The ICO’s Guide to the GDPR also contains lots of guidance to help you to comply with your data protection responsibilities. It includes information on transparency, lawful bases and individual rights.