Wake Smith’s Holly Dobson, expert in GDPR, looks at the latest enforcement to be handed out.
The Information Commissioner's Office (ICO) has issued a detailed enforcement notice on Experian for failing to improve its compliance with transparency requirements under GDPR and to require it to cease using credit reference data for direct marketing purposes.
This follows a 2 year investigation into how such personal data is used for direct marketing purposes.
It also follows a period of very detailed representations from Experian.
The issue of data protection compliance in the direct marketing data broking sector is very much on the regulator’s radar and is now the subject of a report.
ICO found Experian collected and used personal data in breach of the GDPR's transparency requirements and did not process data fairly and lawfully.
Data provided for credit checks was being used for limited marketing activity and adapted to generate products and services provided to organisations, so called "invisible processing" because the data subjects had not been made aware of those operations and could not have anticipated these ulterior uses of their data.
The ICO also discovered that lawful bases in Article 6(1) of the GDPR for processing data were being relied upon incorrectly.
A detailed review of issues of legitimate interests and also of the granular and informed nature of consent appears in the enforcement notice.
Two other companies, Equifax and the TransUnion companies, were involved in the investigations but made sufficient improvements to their operations in response to the ICO audit.
Experian now has nine months to make changes or risk further action. The notice requires Experian to:
Cease using personal data derived from the credit referencing side of its business for limited direct marketing purposes by January 2021.
Make improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for or who the data is being sold to, and why.
Delete any data supplied to Experian under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests.
Stop the processing of any personal data that has been collected unlawfully.
Experian apparently intends to appeal.
The findings go far wider than this industry and have significant ramifications for all data controllers relying on the legitimate interests tests, and for those businesses relying on consent. The investigations highlight the importance of the data subject’s information rights and getting the consent wording right.
To find out how Wake Smith can help with this and for further enquiries on data protection please contact [email protected] or call 0114 266 6660.
