The data broking sector is a complex eco-system where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. - UK Information Commissioner Elizabeth Denham.
Companies who use the services of data brokers for marketing and other purposes are now responsible for ensuring that processing of personal data is compliant with GDPR and other applicable regulations. They must undertake due diligence that the personal data being offered has been collected appropriately, is up to date and that people have been informed of their rights and given a means to exercise them, before the data is purchased or rented.
Following a 2 year investigation, in October the UK data regulator ICO used the ‘nuclear option’ to stop credit agency Experian from processing data which was used to create products sold across a range of sectors without valid consent of citizens.
It found that Experian and two other credit reference agencies - Equifax and TransUnion - did a significant amount of "invisible" processing of data, meaning that people did not know it was happening.
These firms provide a way for people to check their credit score for loans and credit cards.
But they are also data brokers, collecting and selling on information gathered from a variety of sources.
The regulator found that the agencies had access to the data of almost every adult in the UK, which was then "screened, traded, profiled, enriched, or enhanced to provide direct marketing services".
Shockwaves have already spread through the world of data marketing in the few days since this ruling, heightening the sense of urgency to find a way to keep the risk of further actions and damage to clients of this ecosystem manageable, while dealing in users who don’t even know the names of these dominant players. The UK regulator has given Experian, and by association the whole broking industry, 9 months to get itself in order.