The Regulator Who Looked the Other Way: GDPR, Data Brokers, and UK Directors

UK Compliance & Regulation

The Regulator Who Looked the Other Way: GDPR, Data Brokers, and UK Directors

GDPR was supposed to give people control of their data.

The right to erasure. The right of access. The right to object. Transparency. Accountability. Lawful basis. The words are all there, written into UK law.

Meanwhile, commercial data brokers still collect, combine, package, and sell personal information about UK directors at scale. Seven years after UK GDPR came into force, the market for personal data has not shrunk. It has grown.

This is Episode 3 of The Open Book Problem. Lucy Harper joins me to ask why.

What Data Brokers Do

A data broker collects information about people, combines it, enriches it, segments it, and sells access to it. Sources include public registers, marketing lists, open electoral register data, commercial partnerships, online behaviour, surveys, purchase data, property records, credit reference relationships, and other datasets.

Once a broker has enough pieces, a person becomes a profile. For a UK director, that profile may include name, address, age band, household composition, interests, financial indicators, property information, directorships, employment signals, and marketing segments.

The industry will argue that it has lawful bases, suppression processes, compliance teams, and legitimate commercial uses. Some of that may be true in some cases. But a lawful basis is not a magic phrase. It has to stand up to scrutiny, and the scrutiny has not been applied consistently.

Rights Versus Reality

UK GDPR provides subject access rights, rectification rights, erasure rights, restriction rights, objection rights, and portability rights. The words are correct. The experience for most individuals is different.

If your personal data appears in broker databases, you typically have to: identify the broker, find their removal route, make the request, verify your identity, wait for a response, challenge a refusal if one arrives, and repeat the process when data reappears. Multiple brokers. Multiple requests. Multiple deadlines. Multiple rejections.

That is not a remedy. That is a part-time administrative role with no salary and consistent frustration.

The right to erasure exists. But individual rights do not automatically solve systemic data circulation. The upstream sources keep publishing. The downstream brokers keep harvesting. The individual keeps sweeping the beach with a toothbrush.

What the ICO Has Done

The ICO has not ignored data brokers. That is important to say precisely because overclaiming creates room for deflection.

The ICO investigated data protection compliance in the direct marketing data broking sector. It issued enforcement notices in notable cases. It has warned about transparency, fair processing, and the use of credit reference data for marketing purposes.

The record is not blank. The question is whether the response changed the market enough to matter for ordinary UK directors.

From where most people are standing, the answer is no. People still struggle to know which organisations hold their data. The broker ecosystem remains opaque. Data flows are difficult to map. Removal remains fragmented. Reappearance is a practical problem, not a theoretical one.

A regulator can publish findings and still fail to change behaviour at scale. That is the accountability question.

Legitimate Interests: The Phrase Doing Too Much Work

Much broker processing relies on legitimate interests as its lawful basis, or similar reasoning depending on the activity and data source. Legitimate interests is a valid lawful basis under UK data protection law. It is not automatically invalid. But it requires balancing the organisation’s interest against the individual’s rights and freedoms.

That balancing exercise should consider risk to individuals: harassment, fraud, stalking, impersonation, targeted social engineering. For a director whose business data and home address end up in the same commercial profile, those risks are not theoretical.

If the balancing test does not weigh those risks seriously, then the balancing test is not being applied correctly. It is theatre.

The Director Problem

Directors occupy an awkward position in the data ecosystem. Some information about them is public because corporate transparency requires it. But they remain private individuals. They may run a small firm from home. They may use personal mobile numbers. Their business address may be their home address on public record.

For a FTSE board member, there are layers of insulation. Legal teams, comms departments, registered service addresses, executive assistants. For an SMB director, the layer is often a Labrador and a Ring doorbell.

That is not a robust privacy posture.

The more personal data gets joined, the more usable it becomes. Business transparency should not become personal targeting infrastructure. The case for tighter broker oversight is not about hiding who owns companies. It is about recognising that the combination of company record data, electoral register data, property data, and commercial enrichment creates profiles with real fraud and safety implications.

Why Individual Requests Are Insufficient

Imagine a director who wants to reduce their exposure. They submit subject access requests to brokers. Then erasure requests. Some brokers respond promptly. Some ask for more identity evidence. Some remove data. Some suppress it but keep underlying records. Some say they have no data, which may or may not be accurate. Some do not respond within the legal deadline.

Even where data is removed, it can reappear. Brokers obtain data from upstream sources. If those sources continue publishing, broker databases refresh. An opt-out stops the current display. It may not prevent the next refresh from relisting you. This is why removal often has to be repeated every three to six months.

The systemic problem requires a systemic response. Individual rights tools are the correct mechanism for individual errors. They are insufficient for addressing the architecture of a data market.

The Opacity Problem

You cannot challenge what you cannot see.

Many people do not know which brokers hold their information. They do not know which sources were used. They do not know who received the data downstream. They do not know whether an erasure request affects one database, one product, one partner feed, or one public listing.

So the individual gets a right, a template letter, and a treasure hunt.

The strongest enforcement does not only punish isolated failures. It forces clarity into the system. Who holds the data? Where did it come from? Who receives it next? How do I stop it? Why did it return? Those are basic questions. They should not require investigative stamina to answer.

The Questions the ICO Should Answer

Lucy has a list. These are the questions that have not received satisfactory public answers.

How many UK data broker audits have been completed since UK GDPR came into force?

How many enforcement actions have targeted repeated reprocessing after erasure or objection requests?

How many brokers have been required to explain source data lineage for records derived from public registers?

How does the regulator assess personal safety risks for directors, sole traders, trustees, and vulnerable individuals specifically?

What proactive checks are carried out, rather than waiting for individuals to complain?

And how is success measured in terms the public can understand? Not pages published. Not stakeholder engagement sessions. Not consultations. What changed?

Why SMBs Should Care About This

Some readers will think this sounds like a privacy issue rather than a security issue. It is both.

If a data broker links a director to a home address, a company, a sector, and a financial profile, that supports fraud attempts. If that data is combined with Companies House records, LinkedIn activity, breached credentials, and public job adverts, it supports targeted social engineering.

Data does not need to be secret to be dangerous. It only needs to be useful.

How to Turn This Into a Competitive Advantage

MSPs, accountants, and business advisers have an opportunity here. Director data exposure is increasingly part of serious due diligence conversations. Knowing how to help clients audit their broker exposure, exercise Article 17 rights effectively, and build a documented record of removal requests is a service most competitors do not offer.

For business owners, being able to demonstrate that you actively manage director exposure signals to larger clients and partners that your security governance extends beyond technical controls. The human attack surface matters. Treating it seriously matters.

How to Sell This to Your Board

Three specific arguments for board-level attention:

This is a fraud risk, not only a privacy concern. Director exposure feeds impersonation fraud. Impersonation fraud targeting UK businesses resulted in hundreds of millions of pounds in losses in 2024 according to UK Finance. That is not a privacy statistic. It is a finance statistic.

The ICO’s enforcement record is incomplete. That means businesses cannot rely on regulatory action to reduce the risk on their behalf. If the market has grown despite the law existing, the business must manage its own exposure actively rather than assuming the regulator has it covered.

Competitors who overlook this are taking on risk they have not priced. If a director at a competing business is successfully impersonated and the resulting fraud disrupts their operations, that creates opportunity. Understanding the risk before it materialises is a governance advantage.

What to Do This Week

  1. Document your current broker exposure. Search your name and address on the major UK people-search sites. Take screenshots with dates. This is your baseline.

  2. Submit subject access requests to the top results. Use the ICO’s template letters. Ask each broker what data they hold, where it came from, and who has received it.

  3. Follow up with erasure requests where data should not be held.

  4. Track everything. Date sent. Deadline. Response received. Outcome. Recheck date. Without a tracking record, you lose the thread.

  5. Report non-compliance. If a broker misses the one-month deadline or refuses a request without adequate reason, report it to the ICO. Individual complaints become policy pressure when enough of them arrive documented.

SourceArticle
ICORight to erasure
ICOYour right to get your data deleted
ICOGuidance for the data broking sector
ICOLegitimate interests
GOV.UKData Protection Act 2018
UK FinanceAnnual Fraud Report 2025
GOV.UKCyber Security Breaches Survey 2025/2026

Listen to the full episode: The Open Book Problem, Episode 3: The Regulator Who Looked the Other Way.

Next in the series: Episode 4, The Subscription Scam That Is Not Quite a Scam. Graham Falkner joins me to examine DeleteMe, Incogni, and the paid removal industry. They are not scams. But the fact that you are paying monthly to exercise rights you already own for free tells you something has gone badly wrong.

Filed under

  • smb-security
  • uk-business
  • compliance-failure
  • data-protection
  • executive-security
  • business-risk
  • public-sector-security