Following a two year investigation into the data processing activities of the credit reference sector, the Information Commissioner’s Office (“ICO”) has issued an Enforcement Notice against Experian credit reference agency.  An Enforcement Notice is issued under Article 58.2 of GDPR and is a formal notice requiring the organisation to order the controller to bring processing operations into compliance with the provisions of GDPR in a specified manner and within a specified period.  Failure to comply can lead to a fine of up to £17.5 million.

The ICO was investigating complaints made by data protection rights and pressure groups into the use of personal data for data broking purposes.  Credit reference agencies enjoy a favoured position as regards obtaining personal data about mortgages, loans and credit cards and how individuals manage their debts.  Lenders routinely send that data to the agencies and it is used to build a picture of individual creditworthiness.

However, credit reference agencies are also involved in data broking.  The ICO found evidence that data obtained as part of the statutory credit reference activity was being used for direct marketing purposes contrary to the “purpose limitation” principle. It also found that the Privacy Notices of the agencies were not transparent with data enrichment programmes effectively being “invisible” to data subjects in breach of the “transparency” principle and that the agencies were incorrectly using the lawful bases for processing.

In the case of the other credit reference agencies investigated, they withdrew certain products and made improvements to their data handling processes.  Experian made some improvements but did not accept the ICO’s contention that they should issue Privacy Notices direct to data subjects nor that it should cease using personal data supplied for credit referencing purposes for its own direct marketing purposes.  This led the ICO to issue the Enforcement Notice.  Experian now has a few months to change its ways or face further penalties.

Sometimes it is clear that data processing activities are shady or downright unlawful but there are technical aspects to data protection law, particularly around the grounds for lawful processing, that can confuse businesses and even lead to avoiding the issues.  At Data Protection Consulting we specialise in data protection and our message is “don’t avoid it, outsource it”.  Let the specialists take the strain for you.  Give us a call if you think we can help.

Mandy Webster, Data Protection Consulting