Credit reference agency Experian could be facing a major fine after they were found to be breaching GDPR guidelines.
The UK’s Information Commissioner’s Office (ICO) have warned the firm that they have nine months to comply with an enforcement notice or face what could be a huge fine. The regulator found that Experian were illegally using customer data for marketing purposes, selling data to businesses to identify who could afford their goods and services.
The ICO revealed in a new report that the action comes after a two year investigation into the activities of the three big credit referencing agencies: Experian, TransUnion and Equifax.
Following the investigation all three companies were found to be “trading, enriching and enhancing” customers data without their knowledge. The data was then sold on to businesses who were able to use it to build a profile of the consumer and assess their ability to afford their products. They were also found to be using the data in their own direct marketing.
Equifax and TransUnion have both made improvements to their data practices however Experian refused, which is why they now face the enforcement notice. The notice states that by July 2021 they will need to inform customers that they hold their data and how they intend to use it. They have until January 2021 to stop using data derived from credit checks for direct marketing purposes.
Experian have said they plan to appeal the notice.
If they do not comply with the notice they face fines of up to £20million or 4% of their global turnover, whichever is higher.
The original investigation was prompted by a complaint made by campaign group Privacy International. Executive Director of the group, Gus Hosein, said following the UK investigation other countries should carry out their own.
“As the UK regulator notes, people don’t even know the names of most of these companies and yet they hold everyone’s data. We believe the deck is stacked against people and this can’t continue,” he said.
Dublin-based firm Experian said in a statement: “We believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, especially as they try to recover from the Covid-19 crisis.”
The ICO claimed that they failed to clearly explain what they were doing with peoples data, a clear breach of General Data Protection Regulation (GDPR) guidelines.
Information Commissioner Elizabeth Denham said: “The data broking sector is a complex ecosystem where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data.”
These sentiments have been echoed by the experts at Quadrin;