The ICO has issued a warning to Experian that it is in breach of GDPR and has 9 months to stop misusing personal data or face a massive fine.
If you've ever applied for a loan or credit card, you will have undergone a credit check to confirm that you can meet the repayments. Data on your finances is stored by credit reference agencies, which pass that information to banks, commercial lenders, and other businesses in order to approve or deny applications for finances.
Companies such as Equifax and Experian offer people the ability to view their credit report and credit score, which may help show any outstanding problems they can solve in order to improve their chances of getting credit. The problem is that their data collection and processing has always been done without obtaining consent or informing people of what's happening to their data.
RELATED: ICO publishes new online Code of Practice to protect the privacy of children
The UK Information Commissioner's Office (ICO) has now issued an enforcement notice to Experian following a two year investigation into the company's data processing. The investigation began following a complaint from campaign group Privacy International about the data broking practices of Equifax and Experian, and the ICO also investigated TransUnion.
All three credit report agencies were found to be trading in, enriching, and enhancing people's personal data without their knowledge or consent. The final products were then sold to commercial organisations, political parties, or charities, and were used for targeted marketing toward people who could afford certain goods and services.
RELATED: British Airways data breach fine reduced dramatically in light of Covid-19
The ICO reports that Equifax and TransUnion had made improvements to their data handling procedures and have withdrawn some products and services that breached data privacy laws, and the ICO is no longer taking action against those agencies. Experian has has been given formal notice that it has 9 months to do the same or it will be fined up to £20m or 4% of the company's annual worldwide turnover under GDPR legislation.
Source: ICO
