Buying, selling, and enriching personal data is GDPR's most scrutinised activity — data brokers face the highest compliance bar of any sector.
Why Data Brokers Face the Highest GDPR Scrutiny
Most businesses collect personal data as a by-product of their commercial activity. Data brokers are different — you collect personal data as the product itself. The individuals whose data you hold had no direct relationship with you, have no visibility over what you hold, and certainly never consented to you processing it.
The ICO and European data protection authorities have made no secret of the fact that data brokering is a priority enforcement area. The volume of data involved, the opacity of the industry, and the potential for large-scale harm make it exactly the kind of activity regulators scrutinise most closely.
The Core Tension: Lawful Basis for Third-Party Data
Every piece of personal data you process needs a lawful basis under GDPR Article 6. For data brokers, this is the central challenge, because the most obvious basis — consent — is almost impossible to establish for data collected from third parties.
Consent under GDPR must be freely given, specific, informed, and unambiguous. The individual must know who will be processing their data. Historical consent collected by a third party almost certainly did not name your company as a data controller or describe commercial data brokering as a purpose.
That leaves legitimate interests (Article 6(1)(f)) as the primary viable basis for most data broker operations — and it comes with significant conditions.
Legitimate Interest: The Balancing Test
Legitimate interests is GDPR's most flexible lawful basis, but it requires a three-part test:
- Purpose test — Is there a legitimate interest being pursued?
- Necessity test — Is the processing necessary for that purpose?
- Balancing test — Does the legitimate interest override individuals' fundamental rights?
The ICO has been explicit: brokers who use legitimate interest must document a genuine Legitimate Interests Assessment (LIA) for each processing activity. A blanket LIA won't withstand scrutiny.
The Transparency Obligation: Article 14
When you collect data indirectly, Article 14 requires you to provide individuals with notice within one month of obtaining the data. This includes:
- Your identity and contact details
- The purposes and legal basis for processing
- The categories of data you hold
- Recipients of the data
- Their rights (access, erasure, restriction, objection)
- The source of the data
Many brokers try to rely on the disproportionate effort exemption in Article 14(5)(b) — but this requires implementing alternative transparency measures, not simply omitting notice altogether.
B2B vs. B2C Data: Both Regulated
A corporate email address in the format firstname.lastname@company.com is personal data. A work phone number is personal data. GDPR obligations for B2B data are the same as for B2C data. The balancing test under legitimate interests may be somewhat more favourable for professional data, but data subjects retain full rights including the right to object.
Suppression Lists: TPS, CTPS, and In-House Suppression
For UK data brokers:
- Lists must be screened against TPS and CTPS before any calling activity
- In-house suppression lists must be maintained and applied — removed individuals must stay removed
- The ICO has fined list providers (not just callers) for TPS screening failures
Data Accuracy Obligations
GDPR Article 5(1)(d) requires personal data to be accurate and kept up to date. For brokers this means:
- Regular cleansing against mortality and gone-away data
- Processing bounces and returns
- Honouring correction requests
- Screening against the Bereavement Register
The ICO has taken the view that supplying lists containing deceased individuals can itself breach the accuracy principle — liability sits with the broker, not just the client.
Client Due Diligence
Before supplying data to any buyer, you must satisfy yourself that the buyer has a lawful basis for the processing they intend to carry out. Your supply agreements should include:
- Permitted purpose description
- Prohibition on re-selling without consent
- Requirement to respect suppression lists
- Data deletion timeline
- Breach notification obligations
ICO Enforcement: Key Cases
Experian (2020): The ICO issued an enforcement notice after finding Experian was processing personal data of millions of UK adults for profiling without adequate Article 14 transparency. Relying on industry-wide privacy notices rather than individual notices fell short of GDPR requirements.
Cambridge Analytica (2018): Established that the data supply chain is regulatable from source to end user.
AMS Marketing and others: Fines fell on list brokers as well as callers for TPS screening failures and inadequate lawful basis.
Compliance Checklist
Lawful Basis
- [ ] Every processing activity has a documented lawful basis
- [ ] LIAs completed for all legitimate interest processing
- [ ] Third-party consent has been assessed for GDPR validity
Transparency
- [ ] Article 14 notices in place for third-party sourced data
- [ ] Website privacy notice describes broker activities accurately
Accuracy
- [ ] Data cleansed against mortality and gone-away data
- [ ] TPS/CTPS screening applied before calling use
- [ ] In-house suppression lists maintained and applied
Client Due Diligence
- [ ] Client assessed before data supplied
- [ ] Supply agreements include permitted purpose and deletion timelines
If you're a data broker reviewing your GDPR compliance, start by understanding what your website is disclosing and collecting — that's often the first thing a regulator examines. Custodia's free scanner will identify gaps in your public-facing compliance in 60 seconds.
Full guide at app.custodia-privacy.com
Top comments (0)