By law, you are responsible for ensuring that it is lawful for you to receive and use the data you acquire.

This means that you must be able to prove that you took appropriate steps to confirm the information provided to the individuals and the validity of any consents they may have provided.

You must also ensure that you can manage your data in a way that prevents you using purchased lists in ways you do not have permission to use it.

DQM GRC is long established as the leading data licence auditor of UK’s commercial data owners and can help you demonstrate proper control.

Discover more about our data supplier audit service and soltuions below

How does a data supplier audit work?

At the end of 2020, the ICO released a report into the data broking industry. Our service addresses the concerns set out in that report.

Your auditor will assess the following issues:

Transparency of the processing

How were the individuals informed about how their data would be processed?
Was the information provided clear and sufficiently prominent?
Is there a robust audit trail to prove what information was provided?
Does the information provided cover your planned processing?

Article 14 and invisible processing

Did the data broker receive any of the information included in the list from sources other than the individual?
If so, did it inform those individuals that it had received their data and how it would be used?
Was the information provided clear and sufficiently prominent?
Is there a robust audit trail to prove what information was provided?
Does the information provided cover your planned processing?

Using credit reference agency data for limited direct marketing purposes

If the data broker is also a credit reference agency, does the data list include any data originally collected for credit reference purposes?
If so, is there a robust audit trail to demonstrate that the data broker collected valid consent for this data to be used for direct marketing purposes?

Lawful basis for processing

Where consent is required, is there a robust audit trail to demonstrate that the consent collected was valid, including where the original consent was gathered by another party?
Where legitimate interests is used, has a Legitimate Interest Assessment been conducted?
If so, is this Legitimate Interest Assessment objective and does it take account of all factors?
Are there any issues with the lawful basis used, such as switching from consent to legitimate interests, that might prevent you from lawfully using the data?

Process limitation

When you receive the data, is it managed in a way that enables you to comply with the conditions of the contract or data licence?
Can you identify and locate the data you purchase within your database and link it with your audit trail showing that your use is lawful?

What to expect

Your auditor will typically take two days to complete an audit. This will be a combination of interviews with key individuals, reviews of documentation and sample checking. We aim to provide written reports to you within 10 working days of the audit commencing.

For lower risk contracts, you may prefer to send questionnaires to your data brokers that they can complete themselves and return to us for review.

We typically allow three weeks for the data broker to complete and return the questionnaire and aim to provide written reports to you within 10 working days of receiving the completed questionnaire.

Our consultants can work with you and your data brokers to address any issues we may uncover. This can include working with you to ensure your direct marketing strategy for new prospects is compliant and effective and improving your data governance practices to ensure that you can easily demonstrate compliance.

Other services of interest

Certified Privacy Essentials for Marketers

This one day course, offered through our sister company IT Governance, is designed to give marketers and privacy professionals an understanding of how to incorporate privacy requirements into specific types of marketing activities.

Participants will learn how to create and execute compliant and effective digital marketing campaigns and will receive an IBITGQ-accredited certificate on successfully passing the exam.

visit it governance

Make it your own

We can tailor your audit programme to your specific needs and requirements.

Examples include:

Auditing your data practices against the terms of the data licences and contracts you have entered into
Auditing your marketing databases and identifying problematic datasets
Incorporating a data seeding programme to provide evidence of data usage
Any other support to meet your needs – just ask!

Data supplier audit

How do you know the data you buy is correctly permissioned?