After taking a week’s breather, it’s again an action by the ICO that draws my attention. On Tuesday, the ICO issued an enforcement notice to Experian. Experian was one of three credit reference agencies that the ICO has been auditing for the last two years after a complaint from Privacy International. As I’ve mentioned in previous weekly digests, once again we have a third party driving an enforcement of the GDPR and once again we have the ICO using an enforcement action with the threat of a fine to drive corrective action as opposed to immediately issuing a fine.
The investigation was looking at the agencies, data brokering businesses and how they were using personal data for offline direct marketing. The scale and the impact of credit reference agencies is substantial. Paragraph 19 of the notice states that Experian’s two primary databases held entries on over 95% of all UK adults mostly without their knowledge. The data was enriched with up to 500 attributes and then solid to businesses, charities and political parties who used it to target specific individuals. To be clear this business is not illegal and can be very positive for both businesses and individuals. What is illegal is the “without their knowledge” part.
The notice included 5 specific contraventions, but the following three are the most noteworthy:
The ICO seems to want to have used this investigation to communicate some clear messages. It went so far as to publish a thorough report of its investigation. I think this approach is laudable. By shining a light into dark places it can both make the public aware of these services and their rights regarding direct marketing, while at the same time making customers of data brokers aware of the due diligence they need to undertake when working with these services.
So if the ICO is trying to educate us by releasing this report, what are the lessons? Just to be clear, I’m thinking especially of businesses that might be using data brokerage services – not individuals. Although, I’d be happy to have that conversation with anyone who is interested. I think they’re five-fold.
They are re-iterating the importance of having clear, accurate privacy notices at the point of data collection. If you’re using a data brokerage service, take the time to read their privacy notice. Is it clear from reading it their sources of the personal data and how they’re using it? If it’s not clear how they’re collecting the personal data they’re using – including from which sources – how it’s being processed and how it’s being sold, then you need two have a deeper conversation with them to ensure they’re actually compliant.
If personal data is being collected from third sources and then are processing that personal data by appending data to it and then selling it on – have they informed those individuals? Article 14 is extremely clear that if personal data is being obtained by a third party – the people whose data was obtained need to be informed by the data broker within a month of the data broker obtaining their data. The ICO is being very clear that data brokers need to make sure that individuals are informed. If their data sources aren’t clear about it in their privacy notices, then the data brokers must inform the individuals. To ensure compliance, this may require asking the data broker specifically whether how it complies with Article 14 or an audit of all the privacy notices of its data sources.
It’s important to note that the ICO was clear in calling out the credit reference agencies for taking the data it collected for credit referencing purposes and using it for direct marketing purposes. The agencies were required to make significant changes and in some cases where they couldn’t, they had to terminate some products. Make sure you’re not mingling data collected for one purpose with data collected for another purpose. Just because your company has the data doesn’t mean it can use it however it chooses.
If a data broker is receiving personal data from a third party whose lawful basis for processing is consent, that consent doesn’t automatically extend to beyond the collecting entity. If you’re working with a data broker who’s used consent then be very very careful. It’s most likely the consent they obtained cannot be relied upon by your company.
Since data brokering was part of the agencies business, they were relying on legitimate interest to justify their processing. The ICO specifically stated that when doing LIAs the quantity of personal data being processed, the profiling and the transparency of the processing all need to be consider in relation to the freedoms of the individuals. Given the scale – 95% of the UK’s population – the sophistication of the profiling – 500 attributes – and the lack of transparency – most people are unaware credit reference agencies are selling their data – then the legitimate interest doesn’t balance against the rights and freedoms of individuals and cannot be used. So if you’re using legitimate interest make sure you consider the impact of your action on the people who’s data your processing and justify it objectively.
If you’re working with a data broker or even undertaking your own direct marketing take some time to read the full report. I’m sure you’ll find other bits of guidance from the ICO which will help make sure you’re conducting business in a way the benefits your business as well as your clients.