ICO orders Experian to change handling of personal data

The order follows a two-year investigation by the Information Commissioner’s Office (ICO) into how Experian, Equifax and TransUnion used personal data within their data broking businesses.

The regulator found that ‘invisible processing’ of personal data had taken place across the three companies, with individuals unaware that their data was being collected and used, which is a breach of data protection law.

Equifax and TransUnion have made improvements to their direct marketing services as a result of the probe, the ICO said, so it is not taking any further action against them.

The ICO ruled that Experian had made progress in improving compliance but that it did “not go far enough”. The enforcement notice relates to the company’s processing of personal data in the provision of offline marketing services. 

Experian has said it will appeal.

The notice issued by the ICO requires Experian to let people know that it holds their data and how it is using, or intends to use it, for marketing purposes. The company has until July next year to do this, subject to any appeal.

Experian has also been ordered to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes, according to the regulator.

If the company does not make the changes it could face a fine of up to £20m or 4% of its total annual worldwide turnover.

Information commissioner Elizabeth Denham said: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.” 

In a statement posted on Experian’s website, Brian Cassin, chief executive officer, said: “We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.”