Data protection compliance in direct marketing data broking sector on regulator’s radar

Holly Dobson Holly Dobson 04 November 2020

Wake Smith’s Holly Dobson, expert in GDPR,  looks at the latest enforcement to be handed out.

The Information Commissioner's Office (ICO) has issued a detailed enforcement notice on Experian for failing to improve its compliance with transparency requirements under GDPR and to require it to cease using credit reference data for direct marketing purposes.

This follows a 2 year investigation into how such personal data is used for direct marketing purposes.

It also follows a period of very detailed representations from Experian.

The issue of data protection compliance in the direct marketing data broking sector is very much on the regulator’s radar and is now the subject of a report.

ICO found Experian collected and used personal data in breach of the GDPR's transparency requirements and did not process data fairly and lawfully.

Data provided for credit checks was being used for limited marketing activity and adapted to generate products and services provided to organisations, so called "invisible processing" because the data subjects had not been made aware of those operations and could not have anticipated these ulterior uses of their data.

The ICO also discovered that lawful bases in Article 6(1) of the GDPR for processing data were being relied upon incorrectly.

A detailed review of issues of legitimate interests and also of the granular and informed nature of consent appears in the enforcement notice.

Two other companies, Equifax and the TransUnion companies, were involved in the investigations but made sufficient improvements to their operations in response to the ICO audit.

Experian now has nine months to make changes or risk further action. The notice requires Experian to:

Cease using personal data derived from the credit referencing side of its business for limited direct marketing purposes by January 2021.

Make improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for or who the data is being sold to, and why.

Delete any data supplied to Experian under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests.

Stop the processing of any personal data that has been collected unlawfully.

Experian apparently intends to appeal.

The findings go far wider than this industry and have significant ramifications for all data controllers relying on the legitimate interests tests, and for those businesses relying on consent. The investigations highlight the importance of the data subject’s information rights and getting the consent wording right.

To find out how Wake Smith can help with this and for further enquiries on data protection please contact [email protected] or call 0114 266 6660.

Tags

Archive

December 20245November 20245October 20246September 20245August 20245July 20243June 20243May 20245April 20242March 20247February 20242January 20248December 20236November 20232October 20233September 20232August 20234July 20232June 20235May 20237March 20234February 20235January 20233December 20225November 20224October 20224September 20223June 20221May 20227April 20223March 20223February 20223January 20224December 20214November 20213October 20214September 20216August 20212July 202111June 20218May 20216April 20212March 20218February 20218January 20219December 20208November 202013October 20208September 20208August 20203July 20208June 202016May 202011April 20206March 202016February 20208January 202011December 20199November 20199October 201911September 20195August 20194July 20196May 20198April 20196March 20193February 20195January 20194December 20186November 20185October 20182September 20185August 20184July 20189June 20184May 201810April 20185March 20184February 20184January 20183December 20175November 20178October 20177September 20179August 20175July 20176June 201710May 20175April 20178March 201711February 20176January 201710December 20169November 20167October 201610September 201610August 20166July 20167June 20163May 20162April 20166March 20162February 20164January 20165December 20153November 20155October 20156September 20156August 20157July 20157June 20157May 20156April 20159March 20156February 201510January 20156December 20145November 20144October 20142September 20143May 20144March 20146February 20144January 20142December 20132November 20133September 20134July 20132June 20132May 20133April 20131March 20133February 20133January 20136December 20121November 20123October 20122August 20122July 20128June 20123April 20123March 20121January 20124December 20112November 20111October 20112September 20113August 20113July 20117June 20119May 20117April 20115March 20119February 20118January 20111December 20101October 20102September 20102August 20103July 20106June 20101May 20102April 20106March 20102February 20103January 20102December 20095November 20092October 20092September 20092August 20091July 20095June 20095May 20093April 20093March 20093February 20091January 20092November 20082October 20082September 20081August 20083July 20081January 20082

Featured Articles

Contact us