5 Ways GDPR Affects Brokers

Data brokers are valuable to most establishments, but how do they affect you?

Data or Information brokers provide value to many businesses. They provide information that serves several purposes. It helps companies to streamline their data collection process and improve their marketing strategies.

Ever thought of how companies connect with their potential clients? These brokers provide the companies with the information they need about their target customers and the most suitable means of reaching them.

In 2019, the data brokerage net worth rose to $200 billion. While data brokers provide so much value to businesses, it leads to data breaches. Hence, the GDPR impacts brokers to ensure data protection and privacy.

In this article, we’ll explore data brokers and how GDPR impacts their operations.

What are Data brokers

Data brokers are individuals and companies that compile and sell personal information of individuals to businesses. They are sometimes referred to as data providers or data vendors.

These brokers collect information from open sources available on the web. They gather and organize the data to build a well-structured database for different industries.

Top data brokers include:

  • Verisk
  • Acxiom LLC
  • Oracle Data Cloud
  • Epsilon Data Management, LLC
  • Experian PLC

How do data brokers gather information?

Most brokers get their data from the internet. They compile data from public and private records of different individuals.

Let’s see a few sources of data for brokers:

Public RecordsPrivate records
Census dataInternet browsing history
Birth certificatesCredit card history
Voters registration listVideo gaming logs
Court reportsLoyalty rewards memberships
Accident reports
Social networks


How do data brokers affect privacy

Data brokers compile and structure your information for companies that use them to design their buyer personas and target their target audience.

How does it affect you?

Several businesses use the information they get from data vendors to study their prospects and understand how they are likely to react to their products.

They present their business or investment plan in a way they know you would accept. Most times, you receive a partial picture of the deal. Generally, brokers enable companies to sell what their prospects are already willing to buy with little to no need for convincing.

What are the GDPR DPO requirements

General Data Protection Regulation provides specific requirements for data processors.

The UK General Data Protection Regulation (GDPR) demands that companies that process individual data designate a data protection officer (DPO).

GDPR DPO requirements include data processors like data brokers or vendors. It instructs that they need to appoint a DPO to stay compliant. The DPO’s role within an organization is to protect the individuals’ information they handle following the legislation.

Here are the GDPR DPO requirements for organizations that process data.

  • The UK GDPR states that you appoint a DPO with experience and professional qualities. They must have a vast knowledge of data protection law.
  • Although there are no specifics in the credentials they require, their qualification must match the type of protection the personal data process demands.
  • The DPO’s knowledge must match the complexity of the data the company processes to ensure effective management.
  • The company’s DPO should have a practical knowledge of the industry.

5 Ways GDPR Affects Brokers

The EU introduces the GDPR as a strategy that enables individuals to have rights over their data. It influences how companies collect and manipulate data.

Data brokers are regarded as data “processors” since they obtain, keep and process data. Hence, they are to follow the GDPR.

Learn how the EU GDPR affects data vendors

  1. Clarifying Duties and Responsibilities of Controllers and Processors

The GDPR establishes specific lines of duty in data processing to safeguard and ensure the rights of data owners.

This is particularly clear in how it distinguishes between “controllers” and “processors” in managing personal data.

The directive imposes security and confidentiality on data processors. It ensures the use of data in line of the agreement with controllers. Also, it guarantees the controller’s use of sufficient technological and administrative precautions to protect personal data.

The GDPR establishes clear guidelines for controllers and processors. Some data controllers will need to review their vendor agreements to comply with the Regulation’s more specific criteria for controller-processor contracts.

Under the GDPR, processors are given new responsibilities and increased responsibility if they violate the law or act without a controller’s permission. Yet, under the GDPR, controllers are still primarily responsible for protecting personal data.

  1. Data Breach Responsibilities

If a personal data breach occurs while the processor is present, it’s their responsibility to notify the controller without “undue delay.” Afterward, the controller is expected to report the breach to the overseeing authority within 72 hours after they receive notifications of beaches.

Controllers must reasonably justify the delay if notification isn’t sent within 72 hours. Another duty of controllers is documenting personal data breaches, including their details, consequences, and corrective measures.

  1. Choice of Processors

The GDPR’s regulations for managing personal information must be heeded, and controllers are responsible for the processors they choose. An entity that organizes personal data for the controller is referred to as a “processor” under the GDPR.

This entity is either natural or legal. In other words, whereas the controller is the organization that decides on processing-related actions, the processor is any company that the controller hires to handle the processing.

However, the Regulation treats a processor as a controller for the relevant processing if it acts in a controller’s capacity or outside the bounds of that controller’s authority. In this case, it is subject to the provisions that apply to controllers.

Controllers are only permitted to work with processors who will guarantee that they will meet the technical and organizational safety requirements of the GDPR.

  1. Liability and Penalties

The controller becomes liable if a data process infringes the GDPR and causes damage. The controllers and processors are to prove their compliance in the case of damage.

Liability for damages may be apportioned among the controller and processor where they are charged. However, it depends on the party responsible for the harm and as long as the data owner receives total compensation.

To regain their losses when they are not liable, the controllers or processors will file legal action against other controllers or processors engaged in the same processing after paying full compensation.

  1. Processors’ Additional Duties and Restrictions on Subcontracting

In addition to the provisions of the contracts between controllers and processors, the GDPR sets special requirements for processors.

To comply with the GDPR, processors must:

  1. Only process data on instructions from controllers.
  2. Implement reasonable technical and organizational safeguards.
  3. Delete or return processed data to the controller.
  4. Agree to specific requirements before hiring additional processors.

Following the GDPR, processors are prohibited from hiring a new processor without the controller’s prior express or implicit written consent. Controllers are always free to protest the installation of new processors or their replacement.

Hence, it mandates that the processor notify the controller, so he can protest if the processor hires a subprocessor based on the controller’s general permission. The same GDPR requirements apply to sub-processors, and they are bound by any agreements they have with the controller.

What are the individual rights that affect data brokers and companies

  • The right to access–denotes that people have the right over their data and should have access to it. Also, they must have full knowledge of how data processors and vendors use their information after compiling them.

The company or data supplier must present a copy of the personal details when required and with no payment attached.

  • The right to be forgotten – people have the right to ask for the deletion of their data.

If an individual demand that his personal information is removed from a database, the company must ensure they delete the data.

  • The right to data portability– Individuals select the service provider they prefer. Hence, they will move their data from a service provider to choose from.

The company must use a machine-readable format when they ask for a data transfer.

  • The right to be informed – individuals need details about when and how their data is gathered. They need to get information on their data collection and consent before the data compilation.
  • The right to have data corrected – people have the right to edit their data when they want to make updates or corrections.
  • The right to restrict processing implies that people have the right to deny processing their data. They can request that their personal information is gathered but not processed.
  • The right to object – data owners must be informed they have the right to object to data procession.

It means people can deny companies from processing data for marketing purposes. When they deny consent for data procession, the company must cease further processing their data immediately after they deny consent.

  • The right to be notified of a data breach– Individuals must get information when any data breach occurs, mainly if it affects them. They need to receive notifications within 72 hours of such a breach.

Relevant Articles