UK ICO Issues Enforcement Notice To Experian: Ten Lessons For Data Brokers

Here are 10 key takeaways for data brokers and businesses in general:

Transparency

• If you have particularly complex processing, your Article 13 notice should have explanatory examples.
• Placing a big advertisement or undertaking a mass postal mailing does not necessarily meet the Article 14 notification requirement.
• Just because there are lots of people and mass processing doesn't mean it is a disproportionate effort to notify for the purpose of the Article 14 exception. This is especially the case if it is lots of people you haven't notified in a number of years.
• Conducting a survey with the target audience regarding how easily understood your privacy disclosures are can be very helpful. However, this is only effective if you position the privacy notice text against an explanation and check whether what people thought they understood from the text actually matches what you do.
• All important and surprising Article 13-14 information needs to be on the suppliers' first layer of disclosure; a link to the data broker's privacy notice is not enough.

Legitimate Interest / Legal Basis

• It is generally not possible to rely on legitimate interest as the GDPR legal basis when you are profiling individuals for the purpose of marketing.
• Even if you are using the right legitimate interest analysis template, in order for the analysis to work, the balancing must correctly weigh the interests of controller vs. the individual.
• Even just screening someone out of receiving certain marketing materials based on certain criteria still constitutes marketing purposes.
• If your suppliers collected information based on consent, you can't then further process this information under legitimate interest as your legal basis.

Data Broker Sources

• Data brokers need to vet their suppliers re: compliance with data protection laws when procuring the information.
• Data brokers must audit compliance by their suppliers regularly.