Historically this would have been a problem simply for list owners. GDPR now makes a user of the data liable for infringements no matter how they came about. Meaning your due diligence is more important than ever. Remember, the data subject has a 'right to be informed' about how their data will be used.
Many list owners, including household names, collect their data "for inclusion in a directory" or as a by-product of "exhibition attendance", to ensure you "get a good search engine ranking", so you can "manage your credit rating", ... or any number of other 'explanations'. These are evidently misleading, opaque and unfair if the data is subsequently used as a Direct Marketing list without making that abundantly clear. Importantly , this would not satisfy the requirement to inform the data subject even if this information is mentioned in small print.
As the user of the data you now have to demonstrate you are in no way responsible for any problems, including data subjects not knowing their data would be used for direct marketing.
Fortunately for organisations wanting to undertake direct marketing, the ICO have given some pointers about sensible due diligence to undertake. The code is not comprehensive, but page 53 gives an indication about what the ICO consider a minimum. It also contains the warning:
Simply accepting a third party’s assurances that the data they are supplying is compliant is not enough.
Be kind to yourself - make it easy
At Corpdata, we fully considered your compliance issues several years ago. We embraced them within our updated data management processes and how we supply our data to you. For example, our 'Due Diligence Disclosure Pack' will tell you exactly what we tell data subjects, and much more besides.
We have taken it upon ourselves to help you demonstrate your compliance. It's 'enlightened self interest'. We understand you can confidently use our data when you know how you are protected. Our transparency helps everyone.