Even without the advent of GDPR in May 2018, it is clear that the marketing list industry, which for many years had operated without much in the way of regulatory scrutiny, had caught the information commissioner’s attention. In 2016, the ICO handed out a record fine to a company which had used a brought-in list. And in November 2017, the ICO fined another company because it had failed to make it clear what it was going to do with people’s personal data.
It therefore seems that the ICO now has the data brokerage industry firmly within its sites. They have said that they have concerns about the impact of invisible data processing on UK citizens and are currently looking at the data broking industry including how businesses trade and use personal data behind the scenes.
Marketing list brokers may fail to comply for any number of reasons, but by far the most common (and perhaps the one which attracts the greatest ire of the regulator) is the failure to have valid and up to date consent to the sharing of personal data with third parties.
This is under the current regime, but the industry is going to face more stringent hurdles under the GDPR. This is because the requirements for valid consent will be more onerous. Consent will have to be clear, affirmative, freely given, unambiguous and specific to the processing for which consent is sought. Silence, pre-ticked boxes or inactivity (the main-stays of many “opt-out” lists) will no longer be enough for valid consent. Given the move under GDPR for a strong “opt-in” model for valid consent, together with the increased consequences for failure to comply with the GDPR (not least in the form of fines), it is highly unlikely that the marketing list industry will be able survive in it’s current form.
In order to use a bought-in list for direct marketing, buyers need to demonstrate that they have lawful grounds for doing so. Organisations have a choice here – “consent” or “legitimate interests”. Using the “legitimate interest” ground for direct marketing may sometimes be possible, but organisations also have to bear in mind other rules around direct marketing using email and other electronic communications.
But it is around the consent issue where buyers of lists face their greatest compliance headache. Assuming the buyer (who will be the data controller) is planning on using “consent” as a basis for the marketing activity using the bought-in list, how is it going to satisfy the requirement under GDPR to demonstrate that the individual has consented to the specific marketing activity proposed by the buyer?
Even where a marketing list broker gives an assurance (contractual or otherwise) that the consent is valid, the ICO has made it clear that it is not acceptable just to rely on that assurance. It is incumbent on the buyer to carry out due diligence in order to really drill down into whether (a) the data is up to date; (b) the broker has the individual’s permission to pass the data onto the buyer (either specifically or as part of a category); (c) the consent by any particular individual was given in a valid way for the specific marketing activity proposed by that particular organisation; and (d) whether the consent is recent enough to still be valid.
If the consents are not valid and/or the buyer is not able to comply with its demonstrability obligation, then the organisation runs the risk of breaching the GDPR. Breaching the rules on consent is eligible for the higher tier of fines (4% of annual group turnover or €20million euros, whichever is the higher).
Also, it will be easier for individuals to bring a claim for damages for a breach of the GDPR, since damages can be “material and immaterial” – in other words it could be enough to show mental distress. Finally, there is a possibility that the list purchaser may be found to be jointly liable for the transgressions of the list broker as well as its own if it was the case that they each were found to be involved in the “same processing”.
Firstly, beware of list brokers who are not willing to allow buyers to conduct due diligence. It does suggest they might have something to hide.
Secondly, for the due diligence, buyers need to really understand the process and data flow that culminated in the list being compiled. Then it needs to examine the wording of the consents given – are they valid in themselves and were they “freely given”? Whilst it will obviously be impractical to do this for large quantities of personal data, ask for a sample or cross-section and make sure that the remainder of the list was compiled in the same way (and get a guarantee from the buyer to that effect).
Next, make sure your broker will still be around if the regulator comes knocking at the door with a fine or an individual brings a damage claim. The most comprehensive contract in the world won’t do a buyer much good if the broker is now insolvent.
Next, if a buyer does buy a list and uses it, make sure that any names on the list are not already on the buyer’s “do not contact me” suppression list or external telephone or mail preference service.
Next, ensure that if the list is purchased and amalgamated into the buyer’s CRM database, the source of that data is clearly identified. This is useful for demonstration purposes but also allows the buyer to extract that list if later in doubt, without tarnishing its entire database.
Next, buyers would be well advised to carry out a privacy impact assessment before buying any list so that they can record that they really considered the risks of doing so and took appropriate steps to mitigate those risks.
Finally, remember that the buyer becomes a data controller of this bought-in personal data and so, aside from all the other compliance obligations under the GDPR, it is required (subject to some exemptions) to provide certain information (in the form of a privacy notice) to the individuals on the list. This has to be done within 1 month or where the individuals are going to be communicated to, at the time of that communication.