Data protection compliance is a crucial consideration when it comes to purchasing data for direct marketing. Data broking for direct marketing purposes involves collecting data about individuals from a variety of sources, then combining it and selling or renting it to other organizations. While this practice can be beneficial for companies looking to expand their customer base, it also comes with significant legal responsibilities.
As a business using, or intending to use, the marketing services of data brokers, it is important to remember that your organization is responsible for ensuring that your processing of personal data is compliant with data protection law. This includes data obtained from data brokers.
Before your organization uses data broking services, it is essential to undertake appropriate due diligence to satisfy yourself that the personal data being offered to your organization complies with data protection law. This involves evaluating the source and quality of the data, and making sure that it has been collected and processed in a lawful manner. In this regard, the due diligence process should assess the following:
- The origin of the data, such as who compiled it and whether it was the data broker or another party.
- The source of the data, for example, whether it was obtained directly from individuals or from other sources.
- The privacy information provided when the data was collected, including the purposes for which the data will be used.
- The timing of the data collection and its relevance.
- The methods used to collect the data and the context of the collection.
- The records of consent if the data is based on consent and if consent was indeed given and how, when, and by whom.
- The verification that the data has been checked against opt-out lists, and how recent the check was.
- The measures in place that the data broker takes in addressing individuals’ rights, such as handling objections and requests.
Appropriate contractual provisions should also be included in the agreement with the broker to protect as far as possible your organization against issues related to the above points.
As a controller, your organization must be upfront and tell individuals what you want to do with their data, including where you intend to use data broking services to obtain additional data about your customers or to profile them. This information should be provided in a clear and transparent manner, in accordance with the GDPR’s right to information. It is also essential to ensure that you have an appropriate lawful basis before you seek data from a data broking service.
Finally, if you intend to use contact details obtained from data brokers for electronic direct marketing, remember you may be required under the e-Privacy Directive (and PECR in the UK) to have the individual’s consent. This consent must also be to the GDPR standard.
It is important to remember that Data Protection compliance is not only a set of legal obligations, but also essential for maintaining customer trust and building long-term relationships. Data broking services can be a valuable tool for organizations, but it is important to follow all necessary steps to ensure compliance with data protection law and regulations.