ICO issues notice of enforcement action against Experian

The investigation established that the credit reference agencies had processed personal data and this data was then used for direct marketing purposes without data subjects’ knowledge. In particular, the ICO discovered that significant ‘invisible’ processing had been carried out, whereby the data subjects concerned were unaware that the credit reference agency were collecting and processing their personal data, contrary to UK data protection law. Some of the agencies were also using profiling techniques to generate new or previously unknown information about users, which can be be invasive of a data subject’s privacy.

Other breaches of privacy law included failing to clearly explain what the agencies were doing with personal data, and incorrectly using lawful bases for processing data (such as collecting data under the lawful basis of consent but processing the data under the separate lawful basis of legitimate interests).

Following the ICO’s intervention, Equifax and TransUnion made sufficient improvements to their data processing and direct marketing systems, and so the ICO has ceased taking further action against them. However, the ICO deemed Experian’s attempts to improve its practices to have been insufficient to avoid enforcement action. Experian denied that they were required to adopt the ICO’s requested changes and were not willing to issue privacy information directly to individuals nor to cease the use of credit reference data for direct marketing processes.

As a result, the ICO has issued an enforcement notice against Experian obliging it to make further changes to its data protection practices or face further action, which could include a potential fine of up to £20m or 4% of its total annual worldwide turnover (which was $5.179 billion for Financial Year 2020) meaning a maximum potential fine of up to $207,160,000 (approximately £161 million). Experian has nine months to enact the required changes, subject to any appeal.

What to do now

This case makes clear to organisations the importance of ensuring that strict data protection policies are implemented and adhered to in order to guarantee the safeguarding of individuals’ data. In particular, it should be clearly and fully explained to customers when their data is being processed and for what purposes, while organisations should be dedicated to only processing data on the lawful basis under which it is initially collected. If you haven’t already, you should review your data processing record and ensure that you are processing personal data on the lawful basis that you have identified and that your privacy policies are clear as to what, why and how you are processing an individual’s personal data.

Click here for the statement from the ICO.

Our services

Ward Hadaway regularly advises organisations in a variety of sectors on complying with data protection law and our team of data protection experts are experienced in dealing with these types of issues. For more details on how we can help you, or for guidance in relation to any of the issues raised, please get in touch.