October 27th 2020 saw the Information Commissioner issue an ‘Enforcement Notice’ against Experian, under DPA18, for its processing of personal data for ‘offline marketing services’. The notice covers 3 substantive issues:
The ICO chose enforcement rather than fines because it assessed it was the “most effective and proportionate way to achieve compliance”.
This followed a 2 year ‘Investigation into data protection compliance in the direct marketing data broking sector’.
This document looks at how credit reference agencies have also been processing and supplying data for direct marketing.
The ICO recognised:
The data broking sector provides a valuable service to support organisations across the UK.
Despite this they stated:
data brokers must comply with data protection law.
Experian, a titan of the data world, fully cooperated with the ICO in the investigation. Experian believed they had prepared thoroughly for GDPR and the new compliance regime, yet the ICO nonetheless perceived weaknesses.
So, if you conduct direct marketing, you should be aware of the themes of non-compliance the ICO highlighted, they demonstrate areas of concern and likely enforcement.
Transparency and fairness
Processing of data for other purposes
Lawful basis for processing
Legitimate interest assessments
Other things we learn
Honeytraps and online ‘publicly available personal data’
If you harvest online information you may stumble across these ‘honeytraps’. If you process personal data harvested online or process publicly available personal data, you must always provide a Fair Processing Notice to the data subject.
Source ** CorpData
#privacy #gdpr #ccpa #data #dataprivacy #compliance