The ICO's Questions: What the Regulator Has Not Yet Answered on Data Brokers
The ICO has not ignored the data broker sector. That is important to say precisely. Overclaiming regulatory failure creates room for deflection, and in this series we are interested in precision.
The ICO investigated Experian, Equifax, and TransUnion over two years and published findings in 2020 that described “widespread and systemic data protection failings across the sector.” It issued an enforcement notice. It appealed when that notice was challenged. It has published guidance on the data broking sector. It has engaged with complaints.
What I want to examine is the gap between what the ICO has done and what the documented record says about the state of the UK data broker market. Specifically, the questions that the public record cannot yet satisfactorily answer.
Question One: How Many Audits?
The ICO has the power to conduct audits of data controllers. Under the Data Protection Act 2018 and enhanced under the DUAA 2025 through binding assessment notices, it can require organisations to allow it to assess compliance.
The public record for data broker audits specifically, as distinct from the high-profile Experian investigation, does not provide clear visibility. The ICO’s annual reports cover enforcement activity broadly. The data broker sector audit count since 2018 is not, as far as the public record shows, presented with the specificity that would allow external evaluation of proactive oversight intensity.
This matters because the Experian investigation arose from a complaint. A complaint-triggered investigation is reactive. A proactive audit programme would indicate a different enforcement posture. What does the proactive programme look like? How many brokers have been audited outside complaint-driven investigations? The public record does not make this easy to answer.
Question Two: Enforcement Against Systematic Reprocessing
The right to erasure under Article 17 UK GDPR is only meaningful if compliance is monitored. A broker that removes data on request and then reacquires it from the same upstream source at the next database refresh is technically providing individual removals while systematically continuing the problem.
How many enforcement actions since 2018 have specifically targeted the practice of reprocessing data after individuals have submitted erasure or objection requests? The public enforcement record covers specific cases. It does not provide clear aggregate data on enforcement actions targeting the reappearance pattern that makes individual rights so labour-intensive to exercise.
This is the most operationally significant gap in the public accountability record. If brokers can remove data and reacquire it without enforcement consequence, the individual rights framework is functioning as a pressure valve rather than a remedy.
Question Three: Source Lineage
Most commercial data broker profiles are assembled from multiple sources. Public registers, electoral data, marketing lists, commercial partnerships, and historic datasets all contribute. For a UK director, the most important sources are Companies House and the open electoral register.
When the ICO investigates or audits a data broker, does it require the broker to demonstrate the source lineage of specific records? The 2020 investigation addressed the broader question of transparency about processing. But the specific question of whether a broker can identify and document the source of each data point in a director’s profile is more granular.
Transparency about processing requires knowing where the data came from. Erasure rights depend on understanding which upstream sources will republish after removal. The source lineage question is fundamental to making individual rights practically effective.
Question Four: Personal Safety Risk Assessment
GDPR’s legitimate interests basis requires a balancing test that weighs the controller’s interests against the data subject’s rights and freedoms. For a director whose home address, business identity, household composition, and financial indicators are assembled into a commercial profile, the risks include impersonation fraud, targeted social engineering, and physical safety.
How does the ICO’s current enforcement and audit approach assess personal safety risk specifically, for directors, sole traders, charity trustees, and vulnerable individuals? The framework exists. The question is whether it is being applied to data broker profiles with sufficient attention to the specific risks those profiles create for identifiable individuals.
The ICO’s guidance on the data broking sector addresses legitimate interests broadly. The application of personal safety risk to the balancing test for commercial director data specifically is less visible in the public record.
Question Five: Proactive Versus Reactive
The Experian investigation was triggered by a Privacy International complaint filed in 2018. The most significant regulatory action in this sector was therefore reactive. What proactive oversight of the data broker market exists?
Are there rolling audits of broker compliance? Is there monitoring of erasure request compliance rates across the sector? Is there sampling of broker profiles for individuals in high-risk categories? Is there analysis of which upstream sources are consistently feeding data into commercial profiles despite individual objections?
The answer from the public record is not clear. The ICO’s published workplan and annual reports give priority areas but do not provide a clear picture of proactive data broker oversight as a structured programme.
Question Six: How Is Success Measured?
This is the most fundamental accountability question.
The ICO’s purpose is to uphold information rights in the public interest. In relation to the data broker sector, what does success look like in measurable terms? Fewer individuals unable to identify which brokers hold their data? Improved erasure compliance rates? Reduced reappearance rates? Reduced commercial profile depth for identifiable vulnerable individuals?
Not publications. Not consultations. Not guidance pages. What has measurably changed in how UK data brokers treat personal data since 2018?
The absence of a clear, publicly stated metric for success in this area makes external evaluation difficult. It also makes it difficult for individuals to understand whether their individual erasure requests are contributing to measurable change or simply managing their own immediate exposure.
What the Documented Record Does Show
To be precise about what we do and do not know.
The public record shows: a two-year investigation that found systemic failings; an enforcement notice against Experian; a tribunal process that ran from 2020 to 2024; an outcome that did not result in a monetary penalty or a final ruling that the core processing was unlawful at the alleged scale; published guidance for the data broking sector; and ICO acknowledgement of the open questions.
The public record does not clearly show: a quantified proactive audit programme, a mechanism for monitoring reappearance rates at scale, a published framework for assessing personal safety risk in balancing test applications, or a measurable outcome metric for the sector.
What This Means for UK Directors
The accountability gap is not an argument for despair or for abandoning individual rights management. It is an argument for realism about what the regulatory framework currently provides.
Individual rights under UK GDPR remain the practical tool. Submit requests. Track responses. Document reappearances. Report non-compliance to the ICO. Your documented complaints contribute to the evidence base for future enforcement.
The structural remedy, systematic enforcement that changes market behaviour at scale, requires the Information Commission to use its enhanced powers under the DUAA in ways that produce measurable outcomes. Whether that happens depends on decisions and resources that individuals cannot directly control.
What individuals can do is be precise about the gap, hold the regulator accountable publicly through accurate documentation, and not mistake the existence of rights for the existence of effective enforcement.
How to Turn This Into a Competitive Advantage
For MSPs and advisers, understanding the accountability gap is what allows you to give clients honest advice about their data protection rights rather than false confidence. Being able to explain what the regulatory framework currently provides and does not provide is a mark of genuine expertise.
For business owners, the honest position is that active individual rights management is necessary because systemic enforcement has not yet produced the market change the law intended. That is the correct framing for a board conversation about director data governance.
How to Sell This to Your Board
The board does not need a regulatory theory seminar. It needs two clear points.
The regulatory framework exists but has not yet produced the enforcement outcomes that would make individual rights management unnecessary. Your board should treat director data exposure as a live governance issue, not a regulatory matter that someone else is handling.
The DUAA 2025 gave the Information Commission enhanced powers. If those powers are used effectively, the enforcement landscape may improve. Your board should monitor that and adjust governance accordingly, while not assuming improvement before it has happened.
What to Do This Week
- Search the ICO’s published enforcement notices and reprimands in the data broker category to see what the public record shows.
- Review the ICO’s guidance on the data broking sector for the current stated approach.
- Submit any outstanding SAR or erasure requests to brokers you identified in earlier weeks.
- If you have experienced non-compliance (missed deadline, inadequate response), file an ICO complaint and document the reference number.
- Monitor the ICO’s enforcement announcements for data broker sector actions under the DUAA’s enhanced powers.
| Source | Article |
|---|---|
| ICO | Guidance for the data broking sector |
| Privacy International | UK regulator takes enforcement action against data brokers |
| Privacy International | Q&A on UK regulator’s data broker action |
| ICO | Right to erasure: detailed guidance |
| ICO | Data Use and Access Act 2025 guidance |
| GOV.UK | Data (Use and Access) Act 2025 |
| ICO | Make a data protection complaint to the ICO |