4. ICO investigation 4.1 Scope of the investigation Our investigation looked at the provision of offline marketing services by key data brokers. It focused on processing of personal data in the UK about individuals in the UK. The scope of the investigation did not cover online data broking. It also did not extend beyond looking at the provision of marketing services by the data brokers. In the context of the CRAs, this means that the investigation did not look at their credit referencing functions. The findings set out below therefore do not relate to the credit referencing functions of the CRAs.
4.2 Decision to audit In summer 2018 after a review of the intelligence we then held, the Commissioner exercised her power to undertake compulsory audits and issue assessment notices to the three CRAs. This allowed us to collect accurate, detailed and up-to-date information about their processing activities. The Commissioner also decided to investigate practices at three of the non-CRA hubs of data broking we had previously identified, in order to provide contrast to the CRAs’ compliance and an overview of data protection compliance more widely across the sector. After reviewing current intelligence, we issued assessment notices to three data brokers of concern. We announced our decision to conduct compulsory audits of the three CRAs in our 2018 report ‘Investigation into the use of data analytics in political campaigns’, as we investigated some of the organisations as part of our work on the use of personal data for political purposes.
23
