The UK government has recently initiated a significant consultation on the data broking industry, aiming to explore potential security risks posed by hostile actors, including cyber criminals. This effort, spearheaded by the Department for Science, Innovation and Technology (DSIT), is part of a broader strategy to assure the safe development and deployment of new technologies across the UK, amid rising public concerns about data security.
Launched on March 18, 2025, the consultation targets organizations participating directly or indirectly in data broking, including those not typically recognized as such. For example, supermarkets selling customer data to third parties are included, even though data broking is not their primary business model. DSIT seeks insights from this diverse range of stakeholders to establish comprehensive policies safeguarding consumer data and addressing national security risks.
According to the government, data brokers—businesses primarily dedicated to collecting personal information and selling it to other firms—represent potential security liabilities. "The UK government is seeking views to understand more about organizations involved in data broking and the wider industry," remarked DSIT. Their concerns are justified, considering the extent of sensitive data these brokers hold, making them enticing targets for cybercriminals.
Data breaches linked to data brokers are not uncommon. Noteworthily, National Public Data, based out of Florida, faced a severe leak last year, impacting 1.3 million individuals. Similarly, Gravy Analytics, another data broker from the U.S., reported encountering cyber criminals who claimed to have stolen 17TB of data from their systems this year.
"The lackluster security measures employed by many data brokers have facilitated these leaks," explained industry experts. With the introduction of the Data (Use and Access) Bill (DUAB) progressing through Parliament, the timing of this consultation could not be more pertinent. The new legislation is portrayed as more business-friendly compared to previous data protection regulations, yet it still aims to uphold stringent data security standards akin to those of the General Data Protection Regulation (GDPR).
Another significant aspect of DUAB is its proposal to create data intermediaries—trusted third parties facilitating data sharing under smart data schemes. These intermediaries differ fundamentally from data brokers. While brokers do not rely on the individual’s consent when sharing data, intermediaries are expected to operate with the individual’s agreement, guaranteeing protection and ethical handling of their information.
DSIT has highlighted the distinction between data brokers and data intermediaries. They indicated, "Data intermediaries are one way of facilitating the right to data portability, as they can enable data subjects to port their data from one data controller to another, acting on a data subject's behalf or interest. Data brokers, presumably, do not operate under similar stipulations." This focus on operational differences is particularly relevant as the UK government grapples with data security risks posed by brokers.
Recent discussions within DSIT have revealed the need for improved security insights from the data broking sector. The government plans to explore what other international legislation data brokers comply with and the existing measures ensuring data is only accessed by trusted actors. The primary aim remains to bolster the UK’s defenses against data-related national security threats.
The call for views seeks contributions until May 12, 2025, and DSIT encourages stakeholders from across the spectrum—academics, advocacy groups, and industry insiders—to share their insights and experiences related to data broking. With issues of data protection becoming ever more pivotal, the government’s inquiry could lead to significant policy shifts governing how data is exchanged and secured.
Interested parties have until the aforementioned deadline to submit their feedback. The results of the consultation are expected to provide valuable insights, shaping the future framework for data protection and usage legislation, and ensuring the industry sustains both growth and security.