Beyond data broking: why the ICO’s investigation matters to you

In October 2020, the ICO released its finding from its audits of the direct marketing portion of the three largest credit reference agencies (CRAs) in the UK. These CRAs engage in data broking, which involves the collection of personal data from multiple sources, then combining it and licensing or selling it on to third parties.

This activity was undertaken on such a large scale that it would concern almost every adult in the UK to some degree. The ICO found a number of activities that caused concern, in particular:

  • a lack of transparency and “invisible” processing (i.e. processing where the data subject has not been informed at all);
  • processing of data without a lawful basis; and
  • inappropriate use of credit reference data for marketing purposes.

Two of the CRAs that were subject to this audit made voluntary changes as a result of the investigation. The third, Experian, was issued with an enforcement notice as it had not made significant enough changes. The required changes included updates to the CRAs’ privacy notices to clarify what data was being used and how. Where data had not been processed lawfully the activity was either suspended, or the data deleted completely.

The investigation provides some useful insights for any organisation that makes use of third party data, or that obtains data from multiple sources for its own marketing purposes.


Transparency is a central tenet of data protection laws, and the lack of information given to data subjects was a key finding in the investigation. The CRAs were criticised for failing to provide clear and upfront information on the data they were using, where they had obtained it, and how they used it, in a way that was readily understandable. This was a particular issue where the processing may not be expected by the individuals, such as CRAs using data to build marketing profiles on individuals.

This is also important as a lack of transparency can undermine the lawful basis of processing. For example, the failure to properly inform individuals of the processing for marketing purposes contributed to the balancing tests in the legitimate interests assessments (LIAs), tipping the balance against the CRAs.

Organisations should therefore check:

  • that their privacy notices contain accurate information on all their processing activities, avoiding industry jargon and using clear language that will be readily understandable. Any potential drawbacks of processing should be clearly explained and complex processing activities should be demonstrated with examples;
  • prominently disclose any processing activity that may not be obvious or expected in the top layer of your privacy notice. Organisations should also consider how to approach notifications of updates to notices where they are undertaking new processing. For example, it may be sensible to include explanations in a covering email, rather than sending a generic update notification; and
  • whether any exemptions they are relying on to avoid providing transparency information are robust. The fact that an organisation processes data on a large number of subjects such that it would be merely inconvenient to notify them all is not sufficient. This is particularly the case for processing that would be considered intrusive.

Lawful bases: consent and legitimate interests

There were a number of issues with the lawful bases used by the CRAs in the marketing activities. These largely break down into the following.

  • The CRAs relied on third party consents that did not meet the definition under the GDPR, meaning the CRAs were processing data without a lawful basis. This is a common issue with relying on third party consents and one that all controllers should be mindful of.
  • The CRAs obtained data from third parties on the basis of consent and then processed it based on their legitimate interests. This was not permissible as it meant that the initial consent was no longer specific and informed enough to be valid. It also meant that the degree of control and nature of the relationship had been misrepresented. This misrepresentation would therefore impact any LIA in such a material way as to tip the balancing test against the CRAs, so again they were processing data without a lawful basis.
  • The CRAs had failed to give sufficient weight to the impact of their processing when conducting LIAs. In particular, they had failed to give proper consideration to the fact that they were processing a large amount of data in highly targeted ways that amounted to profiling. This, combined with the transparency issues referenced above, meant that the balancing tests in the LIAs were not properly weighted and, had they been so, would have prevented this processing.

These findings should remind organisations to take particular care when relying on third party consent. Ideally this would be avoided due to difficulties in ensuring it was properly obtained and the subsequent limits it would place on processing.

In this instance, the ICO determined that legitimate interests would not be an appropriate basis for the types of marketing processing the CRAs were conducting. The surprising nature of it, particularly regarding the use of credit reference data to tailor marketing, meant that even if data subjects were properly informed their consent would be required for this activity. This does not mean that all data analysis or data collating activity for marketing purposes will require consent, but it will require a properly conducted LIA. Organisations should ensure that they take a holistic approach to LIAs. It is important to assess the impact of the processing on data subjects that is inherent in the processing, but factors such as the information they have been given and whether the particular processing may be expected in the context of the relationship with the individual may serve to mitigate some of this impact.

Using data from data brokers and other third parties

The ICO was at pains to point out that it does not intend to prevent data broking from occurring, and highlighted the positive role it plays in the digital economy. Organisations who deal with data brokers therefore do not need to worry that they will suddenly be banned from doing so. However, this is a reminder for such organisations to take some sensible steps to protect themselves.

  • Check whether appropriate DPIAs have been completed and consider whether any updates to existing DPIAs and processes are required.
  • Check the privacy notices and lawful bases of any third party you receive personal data from, particularly if you are relying on consents obtained by them and if you are using this data for marketing purposes.
  • Check your own privacy notices. Organisations cannot simply rely on third party notices to cover their own processing activity.