Data Brokers: Key Considerations For Organisations

Data brokering is not new, the Facebook/Cambridge analytics saga made that clear. What has changed, however, is the regulatory landscape. With more data in circulation than ever and AI hungry for personal information, organisations need to understand the rules of engagement.

What Is data brokering?

A data broker collects personal information and sells, licenses or shares it with third parties. The individuals whose data is traded typically have no relationship with the broker – and may not even know their information is being handled this way. Brokers source data from loyalty schemes, social media, cookies, mobile apps and purchased datasets.

Before the internet, direct marketers built mailing lists from public records and surveys. Credit reference agencies have operated for over a century. But the digital era has dramatically increased the granularity, volume and accessibility of broker data. A modern broker may hold thousands of data points on a single person – demographics, purchasing habits, health indicators, location history and inferred behaviours.

Do you buy or receive databases (even within your own company group)?

Selling personal data is not unlawful. But many organisations interact with data brokers without appreciating the privacy implications. Buying a marketing database seems straightforward – yet it raises significant compliance questions you ignore at your peril.

Lawful basis and transparency. Under the Protection of Personal Information Act, 2013 (“POPIA”) (and virtually any privacy law), processing personal data requires a lawful basis. When you buy a database, you must confirm the data was collected lawfully and that a valid basis exists for onward transfer. Consent must be specific, informed, and cover the sale to third parties. Legitimate interests require a genuine balancing exercise and documented assessment. Data subjects must receive proper notification – either at original collection or within a reasonable period after you acquire it.

Due diligence on data provenance. Before buying or receiving shared data, investigate its source: How was it collected? What were data subjects told? Were appropriate consents obtained? Is it accurate and current? Ignorance is not a defence – regulators have made clear that organisations acquiring improperly sourced data face direct liability.

Data sharing arrangements. Beyond purchases, many organisations share data with partners or affiliates for joint marketing or analytics. Each arrangement needs appropriate contracts, clear processing roles (responsible party/operator), and transparent privacy notices. Conduct a personal information impact assessment (“PIIA”) where sharing involves large-scale profiling or combining datasets that could yield unexpected insights.

The AI dimension

AI systems are hungry for data. Increasingly, organisations turn to brokers or aggregated datasets to fuel customer analytics, fraud detection, predictive modelling and automated decision-making.

This raises several issues. Using brokered data to train AI may be a new purpose not contemplated at collection – undermining your lawful basis. The opacity of AI systems makes it hard to provide meaningful transparency to data subjects. And where AI drives significant decisions (credit scoring, insurance pricing, recruitment), brokered data inputs compound risks of inaccuracy, bias and discrimination. Incomplete or outdated source data means flawed outputs.

The regulatory focus on AI governance is intensifying. Government’s draft National AI Policy (see our recent article on this here) emphasises transparency, fairness and accountability. The direction is clear: organisations must demonstrate that data feeding their AI systems was sourced responsibly and processed lawfully.

Four practical steps: What should your organisation do?

1. Establish robust procurement processes for acquiring personal data – ramp up your due diligence questionnaires.
2. Review existing data sharing arrangements – especially where data is being repurposed for AI or advanced analytics.
3. Conduct PIIAs for large-scale brokered datasets, combined data sources, or AI use cases.
4. Stay ahead of regulatory developments – proactive compliance beats reactive damage control.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.