Experian has been selling millions of people’s personal information without their consent, the UK’s data protection watchdog has found.
An ICO (Information Commissioner’s Office) investigation revealed that the credit reference agency has been selling personal data to political parties and organisations that used it to identify those who could afford products and services.
Although Experian has made efforts to improve its practices, the ICO says further improvements are necessary. It has given the organisation nine months to make appropriate changes, with the threat of a GDPR (General Data Protection Regulation) penalty looming.
With the power to issue fines of up to 4% of an organisation’s annual global turnover, the ICO could theoretically penalise Experian £169 million.
Experian said it will appeal against the ICO’s ultimatum.
Fundamental changes are needed
The ICO’s two-year investigation found that Experian used personal data in several ways that customers weren’t aware of.
Under the GDPR, organisations must explain to individuals why their personal data is being collected and limit the use of the data to that purpose.
Experian has until July 2021 to make “fundamental changes” to the way it processes and uses personal data if it is to avoid a fine.
The ICO found that the other two major credit reference agencies – Equifax and TransUnion – also had committed similar violations, but they don’t face further action because they adjusted their processes following a warning.
According to the ICO’s report, the three organisations between them had access to the data of almost every adult in the UK, which was then “screened, traded, profiled, enriched, or enhanced to provide direct marketing services”.
This resulted in “products that were used by commercial organisations, political parties and charities to find new customers and build profiles about people.”
Commenting on the investigation, Information Commissioner Elizabeth Denham said:
The data broking sector is a complex ecosystem where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little of no choice or control over their personal data.
The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.
What changes must Experian make?
The ICO’s notice requires Experian to improve its privacy notice to make it clear what personal data is collected, where it has come from, what it is being used for, or who the data is being sold to and why.
The organisation also has until January 2021 to stop using personal data that was obtained from the credit referencing side of its business for other purposes.
This includes its current practices of screening out prospective customers from marketing lists based on their financial status.
Experian must also delete any data supplied to Experian under the lawful basis of consent but which is now being processed using the basis of legitimate interests.
Likewise, it must stop processing personal data that has been collected without a lawful basis.