Keep up to date with us

We update our blog with regular posts to keep you up to speed on the world of B2B data.

Important implication of the ICO enforcement action against Experian

Posted on 17/11/2020 at 14:56By Corpdata

Why?This comes from the interplay of items that crop up in the Experian case.
Validity of consentFirstly, consent is opt-in. They are the same thing. For consent to be valid it must have been ‘i…

Unless you gained ‘consent’, or ‘opt-in’, yourselves, using the data is very likely to land you in trouble.


This comes from the interplay of items that crop up in the Experian case.

Validity of consent

Firstly, consent is opt-in. They are the same thing. For consent to be valid it must have been ‘informed’. The ICO has always been clear that this requires the data subject to know who will eventually be using the data, or 'the identity of the controller'. Indeed, in their What is valid consent? webpage, the ICO explicitly states:

If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified.

Most data licensed from a ‘data broker’ will fail to meet the validity test, since your organisation will not have been explicitly named when it was collected.

Be aware, some brokers have tried to include huge lists of every company listed at Companies House, for example, as potential users of the data. This is also not valid, the ICO make it plain that the information must be readily understood by the data subject. In the Experian Limited Enforcement Report the ICO explain that

notifications fail to be transparent overlong (and risking key transparency information being lost in that length).

It seems likely a list of over 4 million companies will be considered overly long.

If you use data on the basis of ‘consent’ which is not valid, you will have broken the law.

Using data on a different legal basis

Using data on the legal basis of ‘legitimate interests’ when it was collected on the basis of ‘consent‘ is also not legal. The ICO is clear, if data is gained on the basis of consent, then consent is the only basis upon which it may be used, that consent still needs to be valid of course. In fact, Experian must delete all the data they process on the basis of their legitimate interests which their suppliers gained on the basis of consent.

If you use data on the basis of ‘legitimate interest’ when it was gained on the basis of ‘consent’, you will have broken the law.

How does this matter to you?

Many data brokers claim to be able to provide you data ‘with consent’, or ‘opted-in’ data. The two points above show how this is very unlikely to be the case. If your data broker suggests this, you are probably being misled!

In the past, if things went wrong, you could point the finger at your data broker and suggest they should be responsible. NOT ANY MORE.


GDPR has a core principle of ‘accountability’, meaning you are responsible. The only way you can avoid the blame is by ‘demonstrating you are in no way responsible’. This is a deliberately high bar.

Regulators have had enough of data subject rights violations being dodged by mutual finger-pointing. The law now says everyone involved is responsible, so blaming your data broker doesn’t get you off the hook, you just need a bigger hook, because you are both on it.

Isn’t this all a storm in a teacup?

That used to be one of the prevailing thoughts about GDPR. That and it was like Y2K. Recent events are shaking that view. The ICO used to be perceived as a weak regulatory body that seldom used the extent of its powers.

The Experian enforcement notice, together with actions against BA, Marriot Hotels and others, tell us those days are long gone. As data subjects, we should be delighted, as marketers, we should be cautious.

What can you do about it?

Logic dictates if you use data from a pre-compiled list, it cannot have consent or be opt-in, because the data subject could not have known you would use it when they gave their consent, so it cannot be informed, and thus is not valid.

The only way consent or opt-in can be valid is if it was gained by you, or specifically for you, normally as a specialist research process, or list-build, where your use is mentioned when consent is given.

If any data broker tells you otherwise, don’t use them!

This isn't news

Back in October of 2017, we published our blog item The problem with consent covering exactly this topic in even greater depth. The ICO are now showing our interpretation is correct.

One final thought

In case you didn’t already notice this, the ICO are now seeding ‘publicly available’ data on the web. They currently do this to understand how data is harvested and used, but it would be foolish to imagine this will never be used to identify those flouting the rules.

These sources could be LinkedIn, blogs, websites, social media, in fact any place where personal data could be displayed and harvested.

Undoubtedly the safest bet is to use a reputable data broker for your data needs.

ICO issues enforcement notice against Experian

Posted on 29/10/2020 at 14:51By Corpdata

October 27th 2020 saw the Information Commissioner issue an 'Enforcement Notice' against Experian, under DPA18, for its processing of personal data for 'offline marketing services'. The notice cove…

October 27th 2020 saw the Information Commissioner issue an 'Enforcement Notice' against Experian, under DPA18, for its processing of personal data for 'offline marketing services'. The notice covers 3 substantive issues:

  1. Fair & Transparent Processing
  2. Article 14 GDPR (Failing to notify data subjects about Experian's processing of their personal data)
  3. Failure to properly assess the lawful basis of processing

The ICO chose enforcement rather than fines because it assessed it was the "most effective and proportionate way to achieve compliance".

This followed a 2 year 'Investigation into data protection compliance in the direct marketing data broking sector'.

This document looks at how credit reference agencies have also been processing and supplying data for direct marketing.

The ICO recognised:

The data broking sector provides a valuable service to support organisations across the UK.
Despite this they stated:
data brokers must comply with data protection law.

Experian, a titan of the data world, fully cooperated with the ICO in the investigation. Experian believed they had prepared thoroughly for GDPR and the new compliance regime, yet the ICO nonetheless perceived weaknesses.

So, if you conduct direct marketing, you should be aware of the themes of non-compliance the ICO highlighted, they demonstrate areas of concern and likely enforcement.

Transparency and fairness

You must provide the information required by Article 14 of GDPR, now commonly known as a Fair Processing Notice, to each data subject. It must explain all the processing you undertake in clear and simple terms.

Processing of data for other purposes

You must only process personal data for the purposes you have told the data subject about.

Lawful basis for processing

There are really only 2 suitable bases for processing for direct marketing purposes, "consent" or "legitimate interests". You must choose the correct one, and you must only use it in the way you have chosen. Any consent you rely upon must meet GDPR requirements for valid consent.

Legitimate interest assessments

These assessments allow you to show you have impartially considered your legitimate interests against the risks to the rights and freedoms of data subjects. You should always conduct these and retain the evidence. (Please note: if you license data from Corpdata, we will normally help you to produce a draft Legitimate Interest Assessment free of charge!)

Other things we learn

Honeytraps and online 'publicly available personal data'

The ICO has undertaken proactive investigative work by "seeding personal data online" to show how data was obtained and used.

If you harvest online information you may stumble across these 'honeytraps'. If you process personal data harvested online or process publicly available personal data, you must always provide a Fair Processing Notice to the data subject.


Experian tried to assert it would require a disproportionate effort to provide a Fair Processing Notice to all data subjects (about 50 million). The ICO disagreed. You may not rely upon this argument, especially where the processing is likely to be 'unexpected' by the data subject.

Due diligence

The ICO is also keen to educate, so have published information for customers of data broking services, including a non-exhaustive approach to due diligence. (If you would also like to see the advice about choosing a data supplier Corpdata produced in 2017, you can find it here.)

How to use direct marketing data safely, and productively, in a recession

Corpdata have created a white paper on 'Direct marketing in a recession'. It covers key topics including compliance, but also how to ensure you derive a good return from your investment. This is particularly important when every penny counts.

Download 'Direct Marketing During a Recession'