Back in December 2018, the ICO fined a company £200,000 for spam text messaging. This is a pretty hefty fine and will probably close down that company. Their crime (and this is of course a crime as well as being very annoying to the recipients) was due to the company not having the consent of the people they were messaging. This is a problem under PECR as well as GDPR so they were lucky to get away with a fine of £200,000.
If you are sending marketing messages, you absolutely must, make sure that you have consent from the recipients or that you have a soft-optin (under DPA terms) or an alternative lawful basis (under GDPR terms). If you buy data from a third party there is little chance that you will have the appropriate consent or lawful basis which is likely to result in complaints, investigations, enforcement action, and a huge fine.
Don’t risk it! Make sure you are 100% confident that you have consent or a lawful basis - make sure you have evidenced your due-diligence and have all the supporting documentation you might need.
If a data broker tells you their data is 100% GDPR compliant then I am afraid they are probably lying (mistaken, ill-informed, inaccurate, optimistic, naive — you choose).
Want to discuss? Feel free to call us anytime.
Good luck all.