For over a thousand companies in the lead generation and data broking sector, last week’s postal delivery would have brought a nasty surprise.
The Information Commissioner has written to a huge swathe of registered data controllers to demand information into their assets, processes and practices around holding and selling personal information.
The backdrop to this move is the 180,000 consumer complaints received by the ICO. By combining these with intelligence from other sources (including whistleblowers), it has identified a substantial group of businesses which it suspects not to be fully compliant with the Data Protection Act. The aim is to drag firms into compliance where possible and fine the “bad actors” who resist improvements to how they work.
It marks the latest step in a regulatory effort which started with addressing nuisance calls in tandem with Ofcom. Bringing a halt to the unwanted output of the direct marketing industry has been important step in proving that the ICO can be effective against activities which cause consumers distress or annoyance.
By moving its focus onto the input side, the ICO is now bringing into the light an aspect of DM that prefers to operate in the dark. As any consumer who has received calls and texts about PPI, solar panels, will making and the like will know, a single response to a “lifestyle survey” can multiply into a myriad of contacts for years down the line. In an example identified by the Daily Mail, one consumer’s data was traded 200 times and generated 731 items of mail or calls.
This is clearly stretching permission beyond its breaking point. But it is not just consumers who are having their rights abused - commercial data owners are, too. In the murky lead generation sector, it has become typical practice to rent a file created by a large, reputable business, apply some effort (often as limited as changing one variable) and then claiming those records are now new intellectual property.
From there, that data set gets turned over dozens of times. One of the ICO’s demands is for a full list of companies with which these data brokers have done business. It will be interesting to see how many are able to trace their business footprint in this way since making the sale matters more to these companies than maintaining compliance. That is why other requirements of the DPA, like subject access requests and data correction, are also likely to have been neglected.
Speaking to the Science and Technology Committee of MPs on 17th November, Christopher Graham said of the list broking and lead generation sector that, “it would be very logical for there to be powers to compulsory audit.” If granted those powers - and the current mood of legislators towards the data industry suggests this is likely - then it could finally sweep out the “dark DM” practitioners who have benefitted from operating below the regulatory radar and being too low profile to merit sanction.
It could also introduce much more widespread use of data tracking tools, such as seeding or new solutions being introduced to support the Fundraising Preference Service when it launches. As that sector has discovered, one of the most basic pieces of intelligence has been absent - a record of where personal data is being used at any given time. With pressure from regulators, this seems likely to become the next big agenda item for data governance.
One final issue also arises from the ICO’s latest enforcement action. It has the benefit of a register of data controllers to work off. Under the proposed Data Protection Regulation, the supposed burden of notification by data controllers to the regulator will be removed. So the future ICO will start similar work in the dark as to where to find its targets. Too late to change that now, but it still seems a bad place from which to be starting the new regime.