CHAPTER SEVEN – BUYING CUSTOMER DATA
Why do Financial Services companies buy personal data?
Companies in financial services may buy personal data for a host of different reasons. For example:
Marketing – Companies may buy personal data to send individuals marketing information about their products and services.
Risk Exposure – Companies may buy data to build databases to help reduce their risk. For example, a bank may build a database to better understand the types of individuals who may default on a loan.
Data analytics – Companies may buy personal data to help them understand the wants and needs of customers so they can better develop their products and services.
In this chapter, we are going to look at the circumstances in which this is allowed, along with the controls you must put in place to reduce the risk around buying personal data.
Complying with the data protection principles when buying
Remember that there are 7 Data Protection Principles, which we discussed in Chapter 1. These are the seven commandments of GDPR and you must ensure that all of your data processing is consistent with these Data Protection Principles at all times.
As far as purchasing data from a third party goes, you must satisfy yourself that the purchase is consistent with the principles. For example:
Purpose limitation2 – Check that the seller is allowed to sell the personal data from you. For example, the seller cannot collect data for the purposes of customer administration and then go behind the customer’s back and sell the data without the customer’s knowledge.
Accuracy3 – If you do buy data, then you should check that it is accurate and up to date.
Performing Due Diligence on the data seller
GDPR is a tough regulation. It asks you to remain compliant with its multiple rules, but it also stipulates that you must be able to “demonstrate compliance” with the rules. Accountability is one of the key principles under GDPR. It demands that you are able to retain evidence of your compliance with all of the GDPR rules.4
If you are buying personal data, you should therefore conduct due diligence on the seller to make sure the data is legit. You should also keep records of that due diligence.
What specific questions should we ask the data seller before performing Due Diligence on them?
The ICO in its Direct Marketing Guidance5 has set out some questions that may be appropriate to ask a third-party company before buying a marketing list. You may also find these Due Diligence questions useful if you are buying the personal data for non-marketing reasons, such as data analytics.
The ICO says:
“Reasonable due diligence might include checking the following:
Who compiled the list? When? Has it been amended or updated since then?
When was consent obtained?
Who obtained it and in what context?
What method was used – eg was it opt-in or opt-out?
Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
Did it specifically mention texts, emails or automated calls?
Did it list organisations by name, by description, or was the consent for disclosure to any third party?
Has the list been screened against the TPS or other relevant
preference services? If so, when?
Has the individual expressed any other preferences – eg regarding marketing calls or mail?
Has the seller received any complaints?
Is the seller a member of a professional body or accredited in some way?
You might want to ask further questions relating to the Data Protection Principles including:
Did the data subjects know the third party would be selling the personal data?
Is selling the personal data consistent with the original purpose for which the third party collected the personal data?
Is the data being sold accurate and up to date?
If the company cannot give you good answers to these questions, then you are taking a risk in buying the data from them.
What else should I ask the data seller for when I am doing my Due Diligence?
Do not take the data seller’s word for anything. Ask them for relevant documents to support the answers they have given to your Due Diligence questions such as:
Consents – Copies of the consents obtained from the data subjects.
Privacy Notices – Copies of the consents the seller gave to the data subjects.
Accreditations – Copies of accreditations that the seller has.
ICO Registration – Details of the seller’s registration with the ICO.
Policies – Copies of the seller’s Staff Data Protection Policy.
Performing a Data Protection Impact Assessment (DPIA)
It is recommended that you perform a Data Protection Impact Assessment (DPIA) before you buy any personal data from the data seller, to make sure any risks relating to the data purchase are mitigated.
See Chapter 3 for more details on DPIAs.
It is important to put a contract in place with the data seller before any purchase takes place, in order to set out the rules of the game in terms of the personal data you are buying.
The ICO have said “It would be prudent for a buyer to have a written contract in place confirming the reliability of the list, as well as making its own checks. The contract should give a buyer reasonable control and audit powers.”6
The contracts should have indemnities in place to compensate you in the event that you incur loss or damage as a result of the seller providing substandard data or non-compliant data to your company.
Having a contract helps you to mitigate the risk around purchasing customer personal data. However, a contract is not a panacea.
Often, data sellers are very keen to sell their data for a high price and they say that a contract solves all problems. It does not. A contract cannot get you off the hook with a regulator if you have breached GDPR nor can it cover you against any GDPR fines issued by the ICO or any other EU Regulator. The contract is one part of the risk mitigation in relation to purchasing personal data, but it should not ever be the only control you put in place.
If you do decide to go ahead with a purchase of personal data, then you will need to ensure you provide the data subjects with privacy information about your company and the data processing you are carrying out.
You must take “appropriate measures” to make the Privacy Notice “easily accessible”7. This information must be provided to the data subjects “within a reasonable period after obtaining the personal data but at the latest within one month”.8
Under Article 14 of GDPR, there are rules around giving privacy information to data subjects if you have obtained the personal data from a third party, such as a data seller.
Check that your Privacy Notice contains these details if you are going to purchase personal data.
See Chapter 13 for more details on Privacy Policies.
Buying Marketing Data
Does the company selling the data need the consent of the
individuals to do so?
The company selling the personal data needs a lawful basis to sell the personal data under Article 6 of GDPR. Consent or legitimate interest are the likely bases upon which the data seller will be seeking to rely. Consent is often more reliable as it is easier to record and demonstrate.
If they are relying on legitimate interest, then they will have to be able to show that it was within the reasonable expectation of the individuals that their data would be sold in the way they propose doing. To rely on legitimate interest, the data seller must be able to show that they told the data subjects in their Privacy Notices or their correspondence with them that they would sell the data and they gave the individuals the opportunity to opt out of this (such as by saying if you do not wish to be involved in this, then please email us at Data.Protection@acme.com).
If the data seller does not have a lawful basis to sell the personal data, then they could get you in trouble after you buy it. It is up to your company to make sure you have asked the data seller for evidence of the legal basis on which you intend to rely.
Consent is needed to send emails, texts and for automated calls
You must be very careful if you are using a bought in list, to send marketing texts, emails or automated calls.9
For consumer marketing, you will need consent to send the individuals marketing texts, emails or automated calls.10 In other words, you will need evidence that the data subject has consented to your company buying their data and then sending marketing emails to the customer. The ICO says “A buyer will only be able to send marketing texts or emails, or make automated calls, to people on the list if they gave specific consent. In most cases, indirect consent- that is, consent given to someone other than the organisation doing the marketing – will not be enough for this”. They also say “a list with general consent to third party marketing may be enough for mail marketing, but is unlikely to cover calls, texts or emails”.11 They go on to say “If you are buying a ‘consented’ marketing list, the consent request must have identified you specifically.”12
You should ask the data seller for evidence of their consent before relying on it.
The ICO says “A reputable list broker should be able to demonstrate that the marketing list for sale or rental is reliable…..If the seller cannot provide this information, a buyer should not use the list”.13
Red List Brokers wants to sell its personal data marketing list to Blue Insurance.
Blue Insurance buy the list from Red List Brokers.
The list contains 50 customer names.
Blue Insurance wants to send these customers marketing emails about their insurance products and services.
Blue Insurance should check to ensure that the data subjects gave consent to Red List Brokers.
For Blue Insurance to be able to rely on the consent, they need to make sure that the data subjects agreed to receive marketing material from Blue Insurance.
Blue Insurance ask Red List Brokers for evidence of the consents that the data subjects provided to Red List Brokers that mention Blue Insurance.
They must analyse these consents to make sure they are good enough before relying on them.
See Chapter 4 for more details on the Marketing Rules.
For business to business marketing
If you buy any personal data for business to business marketing (such as personal corporate email addresses, such as Dave.Jones@
BigCorporation.com) then you should make sure you have:
Consent that allows your company to send marketing to the business contact (such as Dave.Jones@BigCorporation.com), OR
A legitimate interest to contact the business contact.
If you do intend to market to the business contact, then you must give them the opportunity to opt out of receiving further communications.
See Chapter 4 for more details on the Marketing Rules.
Recap and Practical steps to take:
Data Protection Impact Assessment – Perform a DPIA on any incidences of data selling before they take place.
Due Diligence – Perform Due Diligence on all data sellers before buying personal data from them.
Marketing – Be very careful when buying personal data in order to use it for marketing purposes. Consent is needed to send ordinary customers marketing texts or emails under the PECR. If you are relying on consent obtained from the data seller, you must ask to see evidence of those consents.
Contracts – Ensure there is a contract in place between your company and the data seller.
Privacy Notices – Ensure your Privacy Notices give sufficient information to data subjects, if you have bought data relating to them.
1 GDPR – Article 5(1)(a)
2 GDPR – Article 5(1)(b)
3 GDPR – Article 5(1)(d)
4 GDPR – Article 5(2))
5 ICO – Direct Marketing Guidance – June 2018 – Page 52
6 ICO – Direct Marketing Guidance – Page 53 – 2018 – Soon to be updated
7 GDPR – Article 12
8 GDPR – Article 14(3)
9 ICO Guidance – Direct Marketing – 3 June 2018 – page 52
10 PECR – Regulation 22
11 ICO Guidance – Direct Marketing – 3 June 2018 page 50
12 ICO Guidance – Direct Marketing – 3 June 2018 page 51
13 ICO Guidance – Direct Marketing – 3 June 2018 page 53