Part 1: The ICO questionnaire
I’ve thought long and hard about this blog. Should I post it? Shouldn’t I? How will it be interpreted and am I putting my head about a parapet? I’m the MD of a data brokerage and I think that it’s fair to have an opinion, so posting the blog won out. I have nothing to hide, why should I be scared of saying what I think about recent events?
Please note the informal tone of this blog, it’s supposed to be helpful and to highlight areas of concern with a view to having those areas addressed. It’s not an attack, more a concerned brain-dump. As the blog mentions the ICO, I would like to say that I have supported and will continue to support the ICO for many years, posting their content online and sharing my support for their enforcements. I wish they had more power and resources to truly eliminate various problems.
I think this blog is almost a cry for transparency and communication. Let us know what the end game is here - it would be good to understand the steps and process that the ICO is going through. We may even be able to assist with their challenges. They want transparency from me and they will get it. I think that most data companies would prefer that it was reciprocated. Disclaimer over, now to the blog…
As many will be aware, the data industry is under scrutiny. I’d say that it had its annus horribilis. Various trials-by-media and unfortunate situations with the ultimate realisation that change is required. The change is no bad thing really, I think we all want to eliminate rogue elements like any industry would. To this end, the ICO have sent through a questionnaire (from the enforcement team!) so they can better understand the industry, make recommendations and, according to the DMA, weed out those rogue elements.
I think we all agree that this is a step in the right direction. I don't think anyone in the industry is happy with how ALL companies are tarred with the same brush by the ICO on their media duties. Whether it be on Dispatches, Watchdog or in a newspaper. When it comes to getting a quote from the ICO (and the DMA to be fair), I never read anything positive about the billions of pounds that the direct marketing industry generates and the fact that 99% of companies that operate within it do so on a legal and ethical basis. I appreciate that TV is edited, so that may be unfair, but in the past I’ve heard ICO representatives on Jeremy Vine lay into the data industry with abandon.
Yes, there are rogue elements of course but they are exactly that - minority and rogue just like a cowboy builder, tree surgeon, car mechanic, solicitor and so on. Direct Marketing needs to be cleaned up and I believe that the ICO questionnaire is Step 1. It's not an "us" versus "them" situation, whoever “they” are - we are all on the same side against the companies that cause problems to businesses and consumers alike. I just think we need to agree what the extent of the problem is, what the definition of the problem is and how it's best highlighted and dealt with. However, it only works as a Step 1. If this questionnaire is the major broadside or the foundation that Steps 2 and 3 are built on, I fear it may miss the mark. It needs to be parallel to other projects to tackle the problems.
I think that the industry would be disappointed if this questionnaire is just bowing to media pressure and keeping up the PR profile of the organisation. Personally, I’m very confident that it is not. We want real change, results and engagement with the ICO and have been asking for this for many years. Every time you see a press release from the ICO about shutting down an SMS scam or fining a PPI company for £X, you are sure to find 10 likes from legitimate data companies urging them forward. Yet, it's hard not to feel that we are ALL still seen as the bad guys.
I sigh when I see the ICO on the TV or in a newspaper attacking the industry and the DMA not vehemently defending the vast majority. I for one have requested a visit from the ICO, which they initially did not respond to (their auto responder does say that you may not get a response). Upon pressing for this a second time and name-dropping the ICO chief I made progress and a meeting was arranged, which was subsequently cancelled and replaced by the questionnaire.
As I understand it, the same questionnaire has gone to brokers, data owners, list managers, data processing companies etc. We all work differently and many of the questions are not relevant to those types of companies. I suppose though that it's difficult to send out a questionnaire about understanding the industry if you are open about not understanding the industry you’re surveying. It's almost a catch-22. It also raises the point that if the ICO doesn't understand this industry - then why take so long to address the problem? We haven’t been hiding for the last 20 years. We’re not a secret. I would’ve thought that the ICO would have made it their top priority over the last decade to know this industry inside out. As mentioned though, as a first step, the questionnaire does open a dialogue and that can only be good if intentions are transparent.
I will be posting a couple of blogs over the next week which may be relevant including 'How to spot a data cowboy', and how I would solve this conundrum about enforcement. My approach may not be correct though, these are just my thoughts. Back to my humble views on the questionnaire though…
According to DMA email… ICO objective #1: Understanding the industry.
Seems a positive step, okay the questionnaire isn’t perfect but it's a starting point. I would recommend more engagement with senior persons within the recipient companies. We are here to help! We all want to clean the image of and the actual direct marketing itself. Is it not strange that the ICO have no idea who the management teams, services, ethos of companies within the data industry are? Is it odd timing that this has now happened after the media have brought rogue and non rogue elements to the fore? The media also have a limited understanding of the industry and seem to tar all data brokers with the same brush. Both the ICO, DMA and media seem to prefix the word data brokers with "these" and a lip curl suggesting we’re some kind of underhand cell. They all seem to turn into Severus Snape when talking about brokers. The fact that most of these companies behave in a perfectly legal and ethical way with a service that helps thousands of legitimate companies grow seems not to be talked about - it's just the bad stuff and with that there have been some horror stories and tragic events which nobody wants to see. I’m not defending nor will I condone any of those activities. The recently charity scandal is exactly that and I had no clue they illegally shared data. One of our policies is not to supply charities with consumer data and we always steer clear of any data that involves persons of a vulnerable nature. Even if I am wrong about how the ICO and DMA feel about brokers, is it still not strange that an MD of such a firm believes this? That would concern me if I was the DMA - one of my members feels isolated.
Only recently we saw the outgoing head of the ICO on TV saying that he has no power to audit direct marketing companies and wishes he had - well, I asked for a visit, I was declined. It's easy to go on TV and say it's all terrible, it shows the ICO in a positive light with consumers and that you are taking action. I don't think it unreasonable though to tell relevant journalists about the success stories and numerous occasions when direct marketing has helped both individuals and consumers. I’m not naive enough to think that it's all positive but it’s not the reverse either. Our company alone is responsible for hundreds of ICO registrations as we insist upon it - apart from it being the right thing to do, we are literally responsible for putting thousands of pounds into the ICO’s coffers. Long may that continue. I welcome it. We go out of our way to educate companies about the sensitivities of data.
Back to the questionnaire. From initial conversations I’ve had with MD's of other data firms, for some there’s a slight hesitation to answer some of the questions in full. Nothing to read into that - some questions are not relevant and some people have posted on LinkedIn some details of conversations with the ICO enforcement team. To summarise their views, from what I have read, it's just a fear that the ICO are looking for scapegoats. Looking to keep the PR positive and by definition only go after companies that provide sufficient detail for them to interrogate. These aren’t my views and they can be easily found by looking in the main LinkedIn groups. Of course this is very dramatic and I’m sure that this is not the case but I suppose you can only investigate companies that actually respond? How can you investigate the cowboys that you don't know about?
Note - 7th Jan: Today, I asked the ICO directly about this point and they have confirmed in writing that they arenot out to destroy the broker marketplace.
The biggest advocates and ambassadors that the ICO have are the bosses of the legitimate data companies - they should be brought into help this process, not alienated or made to feel guilty until proven innocent. A further question would be: has the questionnaire gone to the right companies?
I think that this questionnaire would be far more powerful if companies who DID NOT respond or put one word answers were automatically investigated.
According to DMA email.. ICO objective #2: Weeding out the problem.
I suppose we need some clarification on what the problem actually is. I will surmise that it’s about data privacy, the protection of data subjects, unregulated trading of data, compliance with UK laws including the DPA, data accuracy and so on. To summarise that, the problems are all the processes and undertakings that the cowboy companies get involved with. That is a sweeping statement and I am aware that data security and privacy can be breached by even the most well regarded organisations.
We are a company that is massively B2B focused so rarely get involved with consumer telemarketing or data of individuals. We have a stringent compliance process and don't work with companies that don't pass our checks. I am also a consumer so I understand how unwanted calls, direct mail and targeting can cause offence. I get them just like everyone else. I just understand how it all works in regards to data privacy and how data is generated - credit checks, surveys, social media, competitions, subscriptions, newspapers (yes that's right!) etc - so I am careful. I don't want to be involved with marketing that is not welcomed (so the TPS is good) and would welcome a scenario where we can reduce the impact of this. Marketing that is not welcomed is a waste of time and money for ALL parties. Later blogs will include my ideas on how we can help reduce this impact with education being prominent.
The problem here though is that our company’s view is not held by all. In the same way that I’m not inclined to steal a car, there are still people who do. Criminals, cowboys, scammers - whatever you want to call them. Of course, burglars and car thieves don't walk around with a sign on their head stating their intentions and neither do rogue data elements.
The questionnaire was sent to 1000 companies. I believe (could be wrong) that this 1000 was selected by the ICO based around responses to questions during the application to be registered with the ICO. Burglars don't register themselves with the police unless they get caught. Criminals based abroad who come to the UK to commit crime and then leave again quickly also don't make themselves known - however we do have Customs and controls to try and stop this. So we can stop drugs or hoverboards coming into the UK but we cannot currently stop scam calls coming in? Not good enough.
The only basis for my thinking on that was that my letter was sent to my old address which was submitted on the annual ICO registration. We subsequently moved offices a fair few months ago. Ironic really that one of the ICO questions was around how we ensure the accuracy of data. Maybe someone could offer some advice on that one. When it was sent again to the correct address - it was sent to Databroker!â¦.hmmmm. This to me would suggest that the ICO have not individually researched the companies and gone out and looked for rogue elements. Could it be a mail merge to their own database? Does it include the DMA member database? - I doubt it as this would involve data sharing which is neatly covered question 11.
With that in mind, try and put yourself in the shoes of a cowboy trader who sells illegal data or any of the following. Then imagine what your responses would be to the following:
That's very much tongue in cheek and kept informal for purpose of this blog but some of the principles are worth thinking about.
A lot of the real rogue elements are self employed, based out of bedrooms hawking stolen data, not VAT-registered obviously and not Ltd so registered anywhere. Cash transactions only, etc. Even harder to spot are the employees of companies stealing data and selling on. These are not brokers, just crooked employees - a practise that has been found in the mobile phone and personal injury industry before and successfully punished by the ICO. This type of business is no different from buying a Rolex in a pub for a £5 from the inside pocket of somebody’s coat. We all know it's wrong so throw the book at them.
How much of the telepest problem is by UK companies operating within the law? How much of the SMS and voice broadcasting problem is created by UK companies operating within the law? How much of it is by PPI, Debt Management and Personal Injury companies? A disproportionate amount I imagine. Let's understand this and tackle accordingly.
So, at Databroker towers, we have gladly filled in our questionnaire in detail and returned to the ICO. When the letter states that the ICO will take action against companies who don't operate within the data processing laws, I wonder how many responses that will come back that will say "we don't bother with the TPS, we call anyone we want" or other such paraphrased reply. I will estimate - zero. Over the next week, I shall add more blogs about cowboy data companies and my humble views on genuinely cleaning up direct marketing. I would still love to opportunity to work with the ICO and help if required - my door is open. Why wouldn’t you have a team that works directly with data companies in such an important area of your work (not via the DMA)? If it is in place, I must not have seen the PR or must be too insignificant to get an invite - fair enough, I know my place. I think the questionnaire will be successful in highlighting areas of improvement for genuine companies out there and that is massively valuable. I just hope that everyone answers it truthfully.
I am really interested in what Steps 2 and 3 will be and I am hoping it is dialogue with data companies, an open and transparent forum where cards are put on the table and routes forward are discussed. Everyone will have ideas and I hope that the ICO will be interested in hearing what people/experts in this area have to say on it. There are some unbelievably clever and forward thinking people in this industry and they should be able to have open dialogue. The more of these genius brains are involved the better. Obviously I’m not talking about myself here. My lack of grammar told you that though.
I am not precious about my views, if they are wrong, I will gladly write a blog to correct them. I am not a data activist or some kind of weirdo - these are just my thoughts and some will agree, some will not.