Doing Due Diligence on Third Party Data - Our Top Tips

The DMA frequently receives enquiries from members about the level of due diligence they need to undertake when accepting personal data from third parties such as list brokers. To help you navigate what can often be a tricky area, here are some “top tips”:

1) Check the legal basis under GDPR that the third party has relied upon to collect and send the personal data onto you for direct marketing purposes.

Depending on the channel, data brokers tend to rely on Legitimate Interests (LI) and Consent, depending on the channel.

If it’s LI, they should be prepared to share their Legitimate Interest Assessment with you and provide the privacy wording that the data subject would have seen at the point of data collection as per their “right to be informed”.

If consent is the lawful basis, ask to see the consent statement that they’ve used. For consent to be GDPR-compliant, it needs to be freely given, specific, informed and unambiguous.

2) Ask to see the privacy information that the data subject would have seen when their personal data was collected. Does it meet the grade?

One of the guiding principles under the UK GDPR Lawfulness, Fairness and Transparency. Data suppliers therefore need to be upfront at the point they collect personal data about who will use it and for what purposes. Burying the information in a Privacy Policy wouldn’t be sufficient.

Instead, data capture forms must either a) name the specific third parties who will be using the information or b) provide a detailed outline of the nature of the organisations that will receive the data. Saying “trusted third parties” or similar would not be sufficient.

3) Check to see whether the data has been screened against the relevant suppression files before being shared with you (e.g. TPS, MPS).

Ask to see evidence and determine how recently the data was screened. Don’t just take the supplier’s word that screening against the relevant suppression services have taken place.

4) Ensure that you have the necessary security measures in place with the third-party source to help ensure that personal data is transferred securely.

Apply the CIA (confidentiality, integrity and availability) triad as outlined in the ICO’s guide to data security.

5) Ensure you have a clear record of where you obtained the data should the data subject query it. Update your Privacy Policy.

You should apply unique source codes to each data supplier that you use and ensure this is added to the CRM records that you create for each data subject so you have an up to date record of where it came from.

Your Privacy Policy needs to specifically name the data suppliers you use, their contact information as well as the steps people can take if they want to be taken off your/the supplier’s database.

6) Give people an opportunity to unsubscribe or opt out of hearing from you in each and every communication.

For mailings, ensure you provide the relevant contact details of your organisation, for emails an “unsubscribe” link and for telephone marketing, agents should be trained to manage any opt out requests effectively.

For more guidance and support, please email our Legal & Compliance team at legaladvice@dma.org.uk.