Experian faces GDPR action after ICO finds ‘widespread data protection failings’

UK watchdog gives Experian nine-month ultimatum to change 'illegal' business practices or face punishment

A magnifying glass held over the Experian logo as seen on the company's website

The Information Commissioner’s Office (ICO) has ordered credit rating giant Experian to stop profiting from the secretive enriching and processing of people’s personal data or face a massive GDPR fine.

The UK data regulator has reprimanded the company after discovering a massive data broking operation across the entire credit rating industry, with all three credit reference agencies (CRAs), including Equifax and TransUnion, under fire for illegal practices.

The investigation found the three firms were trading, enriching and enhancing people’s personal data without their knowledge or consent. This resulted in products which were used by third-party commercial organisations to find new customers, identify those who were most likely to be able to afford products, and build individual profiles around people. Such services were also used by political parties and charities.

This “invisible” processing likely affected millions of adults in the UK, and certainly breaches data protection laws, the ICO concluded in its report - the result of a two-year investigation into the sector following an initial complaint in 2018. 

The data regulator uncovered “widespread and systemic data protection failings” across the entire CRA sector, which it found is particularly concerning in an industry entirely dependent on personal data. 

Of particular concern is the way these companies were using profiling to generate fresh or previously unknown information about individuals, which can be extremely invasive and can also have discriminatory effects.

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect,” said Information Commissioner Elizabeth Denham.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

After all three companies were confronted, each made improvements to their direct marketing services business. Equifax and TransUnion made these improvements alongside withdrawing some products and services, so the ICO will be taking no further action.

Experian, however, has not gone far enough in making the required changes, so the ICO has issued an enforcement notice giving the company nine months to make the required changes or face a massive fine under GDPR.

The credit rating giant did not accept it was required to make changes set out by the ICO, and as such was not prepared to issue privacy information directly to individuals, or stop using credit reference data for marketing purposes. Should Experian continue to dig its heels in, the company could face a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.

“While these companies claim that they can process people's data with or without their consent, today's report has made it clear that the consent relied on to pass on data to third parties was often invalid,” said campaigns organisation Privacy International. “Therefore, the ICO's announcement today about three of the most recognisable data brokers in the ecosystem is an important step forward.

“Every country with data protection laws needs to look at this sector. Every regulator needs to ask what it is doing to protect people from their data being opaquely exploited by 'credit reference agencies' like Experian. As the UK regulator notes, people don't even know the names of most of these companies and yet they hold everyone's data. We believe the deck is stacked against people and this can't continue.”

Experian has hit back, with its CEO Brian Cassin disagreeing with the ICO's judgement and outlining his company's intention to appeal the ruling. 

"At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements," he said. "This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now


What is data and big data mining? An easy guide
Business strategy

What is data and big data mining? An easy guide

28 May 2021

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021