Picture this – you are looking to buy your first house – you get your credit score checked by Experian – you have heard of them, maybe seen some advertising on TV, and so you go ahead. Little would you think about what Experian may be doing with your data without your knowledge/consent because there are regulations that they must follow – surely?
Experian and other credit reference agencies collect and process vast amounts of personal data in order to carry out credit checks as well as parts of their other services; ‘We gather, analyse, combine and process it to help people and organisations achieve their goals’. Yet does this mean that you as a consumer are intending for your personal information to be traded, enriched and enhanced without your knowledge or consent for marketing purposes?
The answer, more often than not, is no.
You most likely do not want the company sharing your information with third parties purely for their own marketing gain, even more so without your consent to boot.
This processing of your personal data by Experian resulted in products which were used by commercial organisations such as political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people. The UK Data Protection Regulator , the Information Commissioners Office (“ICO”) found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. ‘Invisible’ because the individual data subject is not aware that the organisation is collecting and using their personal data. This is against data protection law.
The Data Protection Act (DPA) and General Data Protection Regulation (GDPR) initiated a new approach to personal data and the transference of such data. It had 7 main aims/principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These aimed to guide and regulate organisations to allow for individuals to have greater access to their data and to be able to understand what companies could and could not do with it.
Experian, failed to be transparent – outlined under Article 5 GDPR; this is because they were using ‘invisible’ processing of personal data and therefore were not being clear to data subjects, as to what their personal data was really being used for. g. The regulator found that personal data provided to Experian, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.
The ICO ordered Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover. The enforcement notice followed a two-year investigation by the ICO into how Experian used personal data within their data brokering businesses for direct marketing purposes. The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.
At the same time that the ICO were investigating Experian, other credit reference agencies (CRA) were being investigated for similar reasons, only along with transparency some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive. It is not revealed in the report as to whether Experian were also using profiling within their processing. This highlights the potential need for further regulating of these providers to ensure that there is compliance at all times in regards to both UK GDPR as well as the UK Data Protection Act (DPA). Similarly investigations such as this open consumer eyes as to what goes on ‘behind closed doors’ of companies in regards to their data and how it is used. Outgoing UK Information Commissioner Elizabeth Denham has remarked: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”
It is safe to say that certain reports and investigations that your data is being used for purposes that you did not consent to will have had an impact on the company itself – with its reputation severely tarnished.