Buying a marketing list – ICO due diligence questions


With GDPR just around the corner we thought it would be useful to answer the questions the ICO suggest you should be asking your marketing data list supplier.

These can be found via the ICO’s direct marketing guidance – viewed 10th May 2018 – skip to page 51 ‘Buying a marketing list’.

The ICO advises “Organisations buying or renting a marketing list from a list broker or other third party must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent.”

Reasonable due diligence might include checking the following:

Questions in bold, Selectabase answers underneath

  1. Who compiled the list?
    Our data portal Prospect Download hosts both Experian’s marketable B2C ConsumerView Database, and B2B National Business Database. Experian’s data partners obtain personal and commercial data compliantly and where appropriate notice has been given for them to pass the information to Experian for use in their products and services.
    To learn more about Experian consumer data, click here.
    To learn more about Experian business data, click here.When?
    All lists are completely refreshed and rebuilt every month.

    Has it been amended or updated since then?
    Invalid data is removed and new data added every month.

  2. When was consent obtained?
    We do not use consent as the legal basis for processing. Our data lists are sold for direct marketing purposes using legitimate interests as the legal basis for processing.
    Please visit our GDPR & Marketing Data page  for more information.
  3. Who obtained it and in what context?
    Experian’s data partners obtain personal and commercial data compliantly and where appropriate notice has been given for them to pass the information to Experian for use in their products and services.
    Please visit our GDPR & Marketing Data page  for more information.
  4. What method was used – eg was it opt-in or opt-out?
    Data subjects will have been provided with the opportunity to opt-out from third parties processing the data for use in connection with their direct marketing services at the point when the data was collected.
  5. Was the information provided clear and intelligible?
    Yes, data subjects will have been informed about the purposes for which their data would be used, by whom (by category of business or by name) and given the chance to opt-out at the time.
  6. Did it specifically mention texts, emails or automated calls?
    No, as the legal basis for processing is legitimate interests, not consent, so there is no requirement to provide granularity of choice. Business to consumer data (i.e. to individuals) is limited to postal data only and screened against the Mailing Preference Service (MPS). Business to business data for sole traders and true partnerships includes postal and telephone data, and B2B data for corporate entities includes email postal, and telephone data, screened against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS). Email marketing to corporate entities does not require consent.
    Please visit our GDPR & Marketing Data page  for more information.
  7. Did it list organisations by name, by description, or was the consent for disclosure to any third party?
    Selectabase only provides data that can be processed for direct marketing purposes using legitimate interests as the legal basis. It also means that there is no legal requirement for Selectabase to be specifically named, although Selectabase will have been identified by category of business.
    Please visit our GDPR & Marketing Data page  for more information.
  8. Has the list been screened against the TPS or other relevant preference services?
    Yes, against the individual and corporate Telephone Preference Service (TPS and CTPS). Postal consumer data is screened against MPS.
    If so, when?
    Every day all lists with telephone numbers are screened.
  9. Has the individual expressed any other preferences – eg regarding marketing calls or mail?
    No, as we do not use consent as the legal basis for processing. Our data lists are sold for direct marketing purposes using legitimate interests as the legal basis for processing.
    Please visit our GDPR & Marketing Data page  for more information.
  10. Has the seller received any complaints?
    Quite the opposite, and to demonstrate this you can see our Why Choose Us page www.selectabase.co.uk/why-choose-us/ to view a sample of testimonials from thousands of clients that have used our direct marketing data lists and services over the years. Naturally like all direct marketing lists we do from time to time receive a very low number of unsubscribe requests from the data lists we provide. These are actioned promptly and efficiently and where individuals have requested the source of their details this is always communicated transparently. We can assure you that Selectabase will only supply marketing data lists that are compliant under the EU’s GDPR processing rules.
  11. Is the seller a member of a professional body or accredited in some way?
    Yes, Selectabase is a member of The Direct Marketing Association (DMA) and were one of the first organisations to be recognised as being fully compliant with The DMA’s Data Compliance Audit process. We are registered with the Information Commissioner’s Office ((ICO) as a data controller, and all our data is sourced and processed appropriately within ICO guidelines.

Even if an organisation does not need specific consent for its marketing (eg for calls screened against the TPS list, or for mail marketing), it should still not go beyond what the individuals would reasonably expect. It should only market products or services which are reasonably similar to those which have been promoted to those customers in the past, or which they have a clear reason to expect. Bought-in call lists must always be screened against the TPS. And they should also be screened against the organisation’s own in-house suppression (do not call) list, to ensure it doesn’t contact anyone who has already said they want to opt out of its marketing.

Selectabase support this by carrying out due diligence on every data list order before release. Plus all of our direct marketing lists are screened against the appropriate preference services. In addition, on 29th January 2018 Selectabase released our new, free Windows PC App EasyCheck, which enables users to screen consumer and business, telephone number and postal data against the individual and corporate Telephone Preference Service (TPS and CTPS), and the Mailing Preference Service (MPS) – and all from the desktop!

Please note that these answers provide a general overview response. Answers may vary on a case by case basis depending on your campaign, marketing channel (postal, telephone, or email), B2B or B2C audience, and the product or service being promoted.

If you have any questions regarding this blog or would like to find out more about the services we offer, to help you with compliant direct marketing, call our friendly team on 01304 383838.