ICO issues enforcement notice against Experian
October 27th 2020 saw the Information Commissioner issue an ‘Enforcement Notice’ against Experian
Corpdata’s David Smith explains…
ICO did this under DPA18, for Experion’s processing of personal data for ‘offline marketing services’. The notice covers 3 substantive issues:
– Fair and transparent processing
– Article 14 GDPR (Failing to notify data subjects about Experian’s processing of their personal data)
– Failure to properly assess the lawful basis of processing
The ICO chose enforcement rather than fines because it assessed it was the “most effective and proportionate way to achieve compliance”.
Two year investigation
This followed a 2 year ‘Investigation into data protection compliance in the direct marketing data broking sector’. This document looks at how credit reference agencies have also been processing and supplying data for direct marketing.
The ICO recognised:
The data broking sector provides a valuable service to support organisations across the UK. Despite this they stated: data brokers must comply with data protection law.
Experian, a titan of the data world, fully cooperated with the ICO in the investigation. Experian believed they had prepared thoroughly for GDPR and the new compliance regime, yet the ICO nonetheless perceived weaknesses.
So, if you conduct direct marketing, you should be aware of the themes of non-compliance the ICO highlighted, they demonstrate areas of concern and likely enforcement.
Transparency and fairness
You must provide the information required by Article 14 of GDPR, now commonly known as a Fair Processing Notice, to each data subject. It must explain all the processing you undertake in clear and simple terms.
Processing of data for other purposes
You must only process personal data for the purposes you have told the data subject about.
Lawful basis for processing
There are really only 2 suitable bases for processing for direct marketing purposes, “consent” or “legitimate interests”. You must choose the correct one, and you must only use it in the way you have chosen. Any consent you rely upon must meet GDPR requirements for valid consent.
Legitimate interest assessments
These assessments allow you to show you have impartially considered your legitimate interests against the risks to the rights and freedoms of data subjects. You should always conduct these and retain the evidence. (Please note: if you license data from Corpdata, we will normally help you to produce a draft Legitimate Interest Assessment free of charge!)
Other things we learn:
Honeytraps and online ‘publicly available personal data’
The ICO has undertaken proactive investigative work by “seeding personal data online” to show how data was obtained and used.
If you harvest online information you may stumble across these ‘honeytraps’. If you process personal data harvested online or process publicly available personal data, you must always provide a Fair Processing Notice to the data subject.
Proportionality
Experian tried to assert it would require a disproportionate effort to provide a Fair Processing Notice to all data subjects (about 50 million). The ICO disagreed. You may not rely upon this argument, especially where the processing is likely to be ‘unexpected’ by the data subject.
Due diligence
The ICO is also keen to educate, so have published information for customers of data broking services, including a non-exhaustive approach to due diligence. (If you would also like to see the advice about choosing a data supplier Corpdata produced in 2017, visit our website.)
How to use direct marketing data safely, and productively, in a recession
Corpdata have created a white paper on ‘Direct marketing in a recession’. It covers key topics including compliance, but also how to ensure you derive a good return from your investment. This is particularly important when every penny counts.