Hellen Beveridge CIPM CIPP/E FIDM Hellen Beveridge CIPM CIPP/E FIDM Privacy Lead, Data Oversight Ltd
Taking a trip with third party data

Taking a trip with third party data

Before the opportunities of data protection presented themselves, I spent the majority of my career in marketing. I'd like to think it makes me more operationally aware than some, having frequently been asked to achieve the impossible while wearing a straitjacket and pulling a ball and chain along the ground.

It also makes me a bit of a pain when organisations try to tell me something that is blatantly untrue.  Like a terrier down the rabbit hole, I am going to keep at it until I reach my quarry. Ever since the advent of GDPR, third party data brokers have been squarely in my cross-hairs. I should mention that I am not alone in this. Other members of the DP community are similarly vexed by these organisations, who somehow seem to think that because being compliant with the legislation is 'too hard' that they don't need to bother.

One of them even sent me a lovely explanation (which I have paraphrased slightly to shorten):

"Both the DMA and our consultant recognise the challenges data providers/resellers/agencies within the direct marketing industry face if a communication has to be sent to the data subject each time their information is passed on. Based on the volume of B2B contacts we hold (circa 1m emails and 4m contacts at a postal address) our conclusion is that, having carried out a balancing exercise to assess the effort it would take to provide the information to the data subjects against the impact and effect on the data subject if they did not receive this information, it would involve a disproportionate effort for us to provide this information and would have minimum impact and effect on the data subject if they were not informed. Our conclusion therefore is that clause (ii) of Article 14(5) will apply.

"The DMA has confirmed that they know this is a big issue for the data broking sector and are currently looking into this."

So - the industry body (DMA = Direct Marketing Association) know it is a big issue. But they knew in 2016 that it was, and yet 100 days on from the advent of the GDPR there still doesn't seem to be any resolution.

I would also take issue with the brokers assumption that Art 14, 5(b) applies, since this is a provision which specifically calls out processing for archiving purposes in the public interest, scientific or historical research purposes and has additional safeguards added. The spirit of the law isn't that this is a get out of jail free card for organisations who make money out of selling data. The controller is expected to take appropriate measures to protect the data subject's rights and freedoms: surely this means that if my information is to be sold to all-comers then I should have the right to object. But I can only do this if I know you are doing it. Back to the provisions of Article 14. Oh - and isn't transfer of data to a third party for a different purpose a consent based thing anyway...

Back to my rabbit hole. After receiving an email offering me a new conservatory (I'm not a fan so wasn't a good prospect) to my business email address, I decided to conduct my own investigation as to where my data had been sourced from, starting with a simple subject access request.

This is what I encountered:

  • The data broker from the quote above told me that they had sold my data to 33 different companies and it was on a directory they provided on an ongoing basis to a further seven companies. Apparently all of the recipients had only bought it for their own or a client's specific use, but at least two confirmed subsequently they had sold the data on to additional marketing companies.
  • An aggressive and argumentative conversation with one data broker, who 'forgot' my subject access request, but was able to miraculously recall my telephone number when reminded that the deadline had passed. Complaint number 1 to the Direct Marketing Commission (they are a DMA member).
    They couldn't provide the details of who they had sold the data to (did they actually know?) but could reassure me that they had requested all of them to remove my data.
    This data broker also told me to go and 'get an education'.
  • Another data broker confirmed that they had sold my data to seven different companies and were kind enough to list them. Following this up, I discovered that two of the companies didn't actually exist and two of them replied saying that they had never bought any data from the company concerned. Have alerted the company to this and am still waiting to hear back.
    They cheerfully supplied me with a copy of their privacy policy as an illustration of their Article 14 compliance (one article out unfortunately) which did not mention anywhere that they collected and distributed third party data for monetary return and how you could stop them from doing it.
    Complaint number 2 to the Direct Marketing Commission (DMA member)
  • Making a subject access request to Experian is more tortuous than trying to get a toddler who doesn't like peas to eat peas. You can't get past go if you won't provide them with your DOB and where you have lived for the last six years. As I repeatedly pointed out to them, for the request I sent this data would make no difference since in a B2B context they wouldn't have either of these pieces of information to verify my identity against. Nine weeks in and I now have my very own case handler. I have only shouted (in caps on email) once - I have been very restrained.
  • One data broker sent me a lovely message telling me how hard they had worked at being GDPR compliant. The lack of a privacy notice on their website kind of let them down.
  • Of all the organisations I contacted, only one replied promptly, politely and with exactly the information I requested in a format that was easy to comprehend. So fair play to EverythingDM for knowing everything about their data and being very nice people to deal with.
  • One other organisation was small and in a bit of a pickle. They were so nice they got some data protection advice for free. We could be friends.

One thing to point out is that all of the primary data brokers never once said that they sold the data. They talked about 'sharing', 'giving access to' or 'releasing the data to marketing partners' but were remarkably squeamish about their business operations. In most cases they sourced the original data from D&B. I haven't dug into the exact ins and outs of this - maybe something for later. What alerted me to this whole process in the first place was that the information that was being used was erroneous - perhaps the data source isn't that reliable after all. Discovering how many places one piece of information was spread to was pretty eye-opening.

When I was wearing my marketing hat, buying data was one of my least favourite activities. Good quality data rarely comes in large packages, all of the successful campaigns we ran used bespoke details that were built specifically for the purpose. We always knew that if we bought in data it was likely to be dirty and very unproductive, unless bought from a reputable source like a publisher, and in those instances we never actually got to put our grubby mits on it.

I am happy to be marketed to (honest I am!) and I don't mind receiving well targeted speculative emails, but dirty data practices have no place in today's digital marketplaces. Plus, if the rest of the marketing and data world has to be compliant then why does one part get to play hooky, with the apparent tacit backing of their trade body. 

Our advice to clients these days is 'steer clear'. Having spent so much time and effort creating good processes and cleaning up existing databases, there is nothing to be gained and much to be lost by buying personal data from organisations that seemingly have little or no interest in doing the right thing.