The UK’s data watchdog has issued credit agency Experian an enforcement notice to make changes to how it deals with personal data, after it emerged it has been “trading, enriching and enhancing” individuals’ data without their knowledge.
The Information Commissioner’s Office (ICO) instructed Experian Limited to make “fundamental changes” to the way it handles personal data, which the ICO said was in breach of the General Data Protection Regulation (GDPR).
Credit reference agencies collect information related to an individual’s credit score, which can influence your ability to be given credit.
The ICO’s decision follows a two-year investigation into how Experian, Equifax and TransUnion use personal data within their data broking businesses for direct marketing. As a result of improvements made by all three, the ICO is taking no further action again Equifax and TransUnion, but found that despite improving compliance, Experian “did not go far enough”.
The ICO found that Experian and the other two credit referencing agencies had been engaging in ‘invisible’ data processing, and that the gathering and selling of individuals’ data without their knowledge resulted in “products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people”.
The data watchdog said that the organisations had not been transparent enough about their data broking practices and that this could affect millions of adults in the UK.
Data commissioner Elizabeth Denham said that the data held for credit referencing purposes had been “unlawfully” used.
Experian has now been given an enforcement notice requiring it to make changes within nine months or “risk further action”, which could include a fine of up to £20m or 4% of its annual worldwide turnover.
Under the notice, Experian is required to tell individuals that it has their personal data and inform them on how it uses or intends to use it for marketing purposes.
It is also required to stop using personal data gathered from the credit referencing part of its business by January next year.
Experian has announced that it will appeal the ICO’s decision.
Reaction to Experian ICO order
Iain Lovatt, chairman and co-founder at marketing firm BlueVenn welcomed the ICO’s decision:
“The data industry has been under the spotlight for a number of years, and this incident brings forth the importance of data privacy once again. Credit agencies are in a privileged position of collating personal data for the purpose of credit referencing. I welcome the ICO intervention into the way companies like Experian have used this collected information for marketing purposes. No organisation should feel they are exempt from the legislation that is there to protect consumers.
“This incident further highlights the fact that there is still a long way to go when it comes to data hygiene, enhancement and best practices. Organisations must understand that failure to handle data appropriately can lead to stark reputational damage and, at worst, financial penalties.”
Nick Turner, vice president EMEA at Druva said that other companies could also be handed large fines in the near future:
“While it can be easy to turn a blind eye when we don’t feel directly violated, Experian’s processing of invisible data means our details are being ‘traded’ without prior knowledge or the ability to opt-out.
“Unfortunately, data protection should be much simpler than it is. GDPR was introduced to establish a data security baseline that all organisations must adhere to – but two years on, many companies still believe that the rules are open to interpretation. To set the record straight, they are not. GDPR is not one rule for one, and one rule for another.
“Over the past month or so, we’ve seen more companies facing large fines for failing to get their data management strategies right, and no doubt we will continue to see more. The way data protection is implemented needs to change.”