At the end of 2020, the ICO released a report into the data broking industry. Our service addresses the concerns set out in that report.
Your auditor will assess the following issues:
Transparency of the processing
- How were the individuals informed about how their data would be processed?
- Was the information provided clear and sufficiently prominent?
- Is there a robust audit trail to prove what information was provided?
- Does the information provided cover your planned processing?
Article 14 and invisible processing
- Did the data broker receive any of the information included in the list from sources other than the individual?
- If so, did it inform those individuals that it had received their data and how it would be used?
- Was the information provided clear and sufficiently prominent?
- Is there a robust audit trail to prove what information was provided?
- Does the information provided cover your planned processing?
Using credit reference agency data for limited direct marketing purposes
- If the data broker is also a credit reference agency, does the data list include any data originally collected for credit reference purposes?
- If so, is there a robust audit trail to demonstrate that the data broker collected valid consent for this data to be used for direct marketing purposes?
Lawful basis for processing
- Where consent is required, is there a robust audit trail to demonstrate that the consent collected was valid, including where the original consent was gathered by another party?
- Where legitimate interests is used, has a Legitimate Interest Assessment been conducted?
- If so, is this Legitimate Interest Assessment objective and does it take account of all factors?
- Are there any issues with the lawful basis used, such as switching from consent to legitimate interests, that might prevent you from lawfully using the data?
Process limitation
- When you receive the data, is it managed in a way that enables you to comply with the conditions of the contract or data licence?
- Can you identify and locate the data you purchase within your database and link it with your audit trail showing that your use is lawful?