The ICO exists to empower you through information.

At a glance

  • Data broking for direct marketing purposes involves collecting data about individuals from a variety of sources, then combining it and selling or renting it to other organisations.
  • If you use, or intend to use, the marketing services of data brokers you must remember that you are responsible for ensuring that your processing of personal data is compliant with data protection law.
  • Before you use data broking services you must undertake appropriate due diligence to satisfy yourself that the personal data being offered to you complies with data protection law.
  • You must be upfront and tell people what you want to do with their data, including where you intend to use data broking services to obtain additional data about your customers or to profile them.
  • You must ensure that you have an appropriate lawful basis before you seek data from a data broking service.

In brief

What is data broking for direct marketing purposes?

Many different types of organisations use the marketing services of data brokers.

Data broking for direct marketing purposes involves collecting data about individuals from a variety of sources, then combining it and selling or renting it to other organisations. The services provided by data brokers for direct marketing purposes include:

  • selling lists of contact details;
  • selling copies of the open electoral register;
  • profiling and data enrichment (eg adding data to the profile you already hold people);
  • data matching (eg providing phone numbers for people who you only hold address details for);
  • data cleansing and tracing (eg removing deceased records from your database and tracking down new contact details for people);
  • screening services (eg screening the telephone numbers you hold against the Telephone Preference Service); and
  • audience segmenting or other profiling (eg identifying target sub-groups within an audience for tailored messaging).

Whilst the data brokers have responsibility for ensuring their processing of personal data is compliant with the law, those who are their clients and use their data broking services also have responsibilities under the GDPR and DPA 2018.

Therefore if you use, or intend to use, the marketing services of a data broker you must remember that you are responsible for ensuring that your processing of personal data is compliant with data protection law. This includes:

  • undertaking appropriate due diligence;
  • telling people what you want to do; and
  • having a valid lawful basis for the processing.

What due diligence might be appropriate?

Before you use data broking services you must undertake appropriate due diligence to satisfy yourself that the personal data being offered to you complies with the GDPR, DPA 2018 and if applicable the Privacy and Electronic Communications Regulations (PECR).

Simply accepting a data broker’s assurances that the data they are supplying is compliant is not enough. You must be able to demonstrate your compliance with the GDPR and be accountable.

You need to be satisfied that the personal data was collected fairly and lawfully, and that the individuals involved understood that their data would be passed to you for the particular purpose, such as direct marketing purposes.

Due diligence could include ensuring you have certain details such as:

  • Who compiled the data – was it the data broker you are buying it from or was it someone else?
  • Where was the data obtained from – did it come from the individuals directly or has it come from other sources?
  • What privacy information was used when the data was collected – what were individuals told their data would be used for?
  • When was the personal data compiled – what date was it collected and how old is it?
  • How was the personal data collected – what was the context and method of the collection?
  • Records of the consent (if it is ‘consented’ data) – what did individuals’ consent to, what were they told, were you named, when and how did they consent?
  • Evidence that the data has been checked against opt-out lists (if claimed) – can it be demonstrated that the TPS or CTPS has been screened against and how recently?
  • How does the data broker deal with individuals’ rights – do they pass on objections?

This list is not exhaustive.

A reputable data broker should be able to demonstrate to you that the data is reliable. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.

What do we need to tell people?

You must be upfront about your processing of personal data and provide people with appropriate privacy information about what you intend to do with their data. You need to make your privacy information easy to understand and use plain language.

For example, if you intend to use data broking services to obtain additional data about your customers or to profile them, you must be clear and transparent and tell them before you do this. It is unlikely that your customers will expect you to be seeking data from other organisations about them. Therefore this should be clearly brought to their attention and not buried in your privacy information.

However, it is important to remember that simply stating what you intend to do with an individual’s personal data in your privacy information doesn’t automatically mean that you will be compliant – you must also make sure that your obtaining of the personal data and any intended use is fair and lawful.

If you buy or rent lists of individuals’ contact details to use for direct marketing, you must provide those on the list with your privacy information within one month of obtaining their data.

Our website contains guidance on the right to be informed which explains the privacy information that you must provide to individuals.

Do we need a valid lawful basis?

Yes, you must have an appropriate lawful basis under the GDPR for processing personal data. This means that if you intend to seek personal data from a data broking service, or if you seek ‘postcode’ level data to add to the records of your customers (ie presumed attributes based on social and lifestyle factors of people who live in a particular postcode or area) you must be able to demonstrate what your lawful basis for processing is before you obtain the data.

There are six lawful bases for processing and your choice of lawful basis will depend on the purpose you intend to process the personal data. Our website contains further guidance on lawful bases including a lawful basis interactive guidance tool.

If you intend to use contact details obtained from data brokers for electronic direct marketing, remember you may be required under PECR to have the individual’s consent and that consent must be to the GDPR standard.

Our website also contains detailed guidance on the consent and legitimate interests lawful bases, as well as guidance on electronic marketing in the Guide to PECR.

Where can we find further information?

The ICO’s Guide to GDPR contains lots of guidance, checklists and resources to help you to comply with your responsibilities under the GDPR.