Skip to main content

Although not considered best practice for modern marketers, buying third party data from list brokers can be very tempting. Especially if you’re pushing lead generation, launching a new product or holding a large event, and haven’t yet established your own marketing lists using an opt-in subscription model. But be careful…

Under the May 2018 General Data Protection Regulation (GDPR), individuals are heavily protected and businesses heavily penalised if found non-compliant with the new rules, which become more complicated when a third-party data provider enters the equation.

Quoted in The Guardian article, “GDPR: the new data-protection law giving watchdogs a mega bite” Chiara Rustici, GDPR analyst and author, said: “Businesses must shift from collecting personal data on a just-in-case to a just-in-time basis. White-label ‘consented data’ is dead and the personal data markets are broken.”

Here are a few risks to be aware of and tips to help you navigate buying marketing lists.

The risks of buying marketing lists under GDPR

1. You need to demonstrate “consent” or “legitimate interests”

Organisations may be subject to enforcement action if they can’t demonstrate appropriate consent, including to the specific marketing activity proposed. This becomes very difficult to prove when using third party personal data lists.

Learn like a leader: Everything you need to know about becoming a new manager

2. Your list broker’s assurance of valid consent is not enough for the ICO

The ICO makes it very clear that marketers can’t just rely on an assurance – contractual or otherwise – from their list broker that the individual’s consent is valid. Under GDPR, it’s the data buyer’s responsibility to carry out due diligence on the broker to make sure:

  • The data is current
  • The broker has permission from the individual to pass their data onto you
  • The individual’s consent for your type of planned marketing is valid
  • The consent is recent enough to still be valid

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.” – Elizabeth Denham, Information Commissioner

3. Financial and reputational risks of GDPR

If consents are found not to be valid or demonstrable, you risk financial penalties from the ICO as well as damage to your reputation and perceived trustworthiness.

Information Commissioner Elizabeth Denham said, “People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.

“Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.”

Under GDPR, it will be much easier for individuals to claim for damages, as they can be “material and immaterial” – so, for example, demonstrating mental distress could be enough for a legal win.

Top tips for managing brokered marketing lists

1. Conduct due diligence on your broker and their data

Ask for a data sample and assurance that the rest of the list is compiled in the same way. If you get pushback on a request for due diligence, alarm bells should ring. Check out Companies House, for example, to make sure your broker isn’t about to go insolvent.

2. Conduct a Privacy Impact Assessment (PIA)

The ICO recommends a ‘privacy by design’ approach, which includes conducting a PIA to identify and reduce the privacy risks of your marketing campaigns. Basically, it reduces the risks of harm to individuals through the misuse of their personal information. It can also help you handle personal data more efficiently and effectively for your own purposes.

3. Check off your bought data against suppression lists

Once you’ve bought third-party data, make sure the names are not already on your “unsubscribe” list, or external telephone and mail preference services.

4. Clearly identify the third-party data source on your CRM database

Under GDPR, this allows you to demonstrate the data source. It also means you can extract it later if any doubts arise over compliance, without losing your entire database.

To help marketers prepare for GDPR, the Chartered Institute of Marketing (CIM) has teamed up with Me Learning to develop an e-learning course titled GDPR for the Marketer. To find out more, click here.

Learn like a leader: Everything you need to know about becoming a new manager

Do you have a question?

Whether it is a technical question or a sales enquiry, our helpdesk and sales team will be happy to help.