How is Experian getting ready for GDPR?
With the General Data Protection Regulation (GDPR) only months away, you may have some questions about what Experian is doing to prepare for GDPR. We will be updating our FAQs regularly so please check-in for the latest information.
To return to the GDPR hub page click HERE.
- Has Experian commenced a GDPR readiness programme and, if so, what is its current status?
Data protection compliance is fundamental to our business and, as a result, Experian has taken a keen interest in GDPR since the draft text was first released many years ago as part of the EU’s legislative process. Since then, we have been working diligently with industry, clients and our internal stakeholders to assess the potential impact of GDPR on our business and the industry more generally and to identify any changes that will need to be implemented to comply with the enhanced requirements set out in GDPR. Our GDPR readiness programme has been under way for some time now and is now in implementation phase.
This means that we are working to a project plan that encompasses the major data assets across our UK business. It includes controls to review our processes and policies and our internal documentation for GDPR accountability standards. To support our clients in managing their GDPR compliance, and in continued delivery of our services to our clients, we have also recently released GDPR standard contract terms that meet Article 28 processor requirements that will support where Experian acts as processor.
We recognise the importance of good, well regulated data protection in a modern society, and we are pleased to note the final wording of GDPR does not contain anything which would prevent Experian at a fundamental level from offering the services that it does, services which are essential to consumers and organisations in their interactions with each other.
- Is Experian’s GDPR readiness programme sponsored by the Executive Team?
Yes, as a data business, compliance with data protection legislation is crucial and our Executive Team are fully supportive and engaged with our GDPR readiness programme which is sponsored by Experian’s Chief Risk Officer.
- Has Experian appointed a Data Protection Officer?
We have not yet appointed a Data Protection Officer for the UK business but are working towards an appointment being made prior to 25 May 2018. Once the appointment has been made, their contact details will be available on our website www.experian.co.uk.
- When does Experian expect to be compliant with GDPR requirements?
Experian’s GDPR readiness programme for the UK is well underway. A gap analysis has been completed for all business areas and we are now implementing necessary changes. We have, for some time now, been working with all business areas and stakeholders with a view to moving our business towards compliance with all GDPR requirements ahead of the 25 May 2018 deadline.
- How will Experian ensure that it maintains compliance with the requirements of GDPR, on an ongoing basis, post GDPR?
We see our GDPR programme as the first phase of a long term plan. As is the case for all organisations processing personal data, the important factor is not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.
We already have robust processes and procedures in place to manage compliance with existing data protection legislation and, as part of our GDPR readiness plan, we have reviewed those processes and procedures to ensure that they are fit for purpose under the new regime.
- Will Experian be able to continue to provide the same services as it does today post GDPR? What products and services from Experian will be impacted by GDPR and how?
As mentioned above, as part of our GDPR readiness programme, we are working through all products, services and data processing activities undertaken by Experian in order to identify what, if any, changes will need to be implemented prior to 25 May 2018. This project is ongoing however, as mentioned above, GDPR does not, contain anything which, at a fundamental level, would prevent Experian from providing the services it does.
- Has Experian engaged with its material suppliers and service providers to gauge their state of preparedness for GDPR implementation?
Engaging with material suppliers is an important aspect of our GDPR readiness programme. We have, for many months, been engaging with suppliers and will continue to do so during the run up to 25 May 2018.
- Has Experian implemented processes and procedures to be able to comply with the data subjects’ rights provided for in GDPR?
Experian has many years of experience in dealing with high volumes of consumer requests in relation to credit files. Part of our GDPR readiness programme has involved assessing the processes and systems we already have in place to comply with rights currently available to data subjects under the Data Protection Act 1998. As part of this assessment we have also identified what, if any, changes will need to be implemented to ensure that we can, from 25 May 2018, comply with the enhanced rights set out in GDPR.
It is worth noting that some of the data subject rights available under GDPR are not absolute rights and, in many circumstances will not arise. By way of example, whilst we will respond to all data subject requests received on a case by case basis, in relation to credit file data processed under the legitimate interests processing condition, provided that the data recorded is accurate and up-todate, the right to erasure will not generally apply as there will continue to be an overriding legitimate ground for this data to be maintained.
As part of the transparency requirements, we will be working to ensure that individuals are aware of, and understand, when these rights apply and when they do not.
- What is Experian doing to ensure that it complies with the enhanced information requirements set out in GDPR?
Experian fully supports the drive towards greater transparency. Our corporate strategy seeks to put our customers at the heart of everything we do and, being open and transparent, is a crucial element of achieving that.
We are working with all stakeholders within our business, industry bodies, suppliers and clients with a view to ensuring that all privacy notices and data collection notices/journeys that feed into our business will be compliant with these requirements in advance of the 25 May 2018 deadline. We have also been engaging with the Information Commissioner’s Office (“ICO”) to ensure that the approach being taken is in line with ICO’s expectation, particularly in the critical area of credit information transparency.
If you are a lender, please also see FAQ below ‘Will there be any changes required in terms of Fair Processing Notices in order that consumer data can be used for credit assessment purposes? What will the changes entail?’
- What is Experian’s view on the ICO’s Guidance on consent and how this will, if adopted in its current form, will impact Experian’s business?
Experian welcomes any Guidance issued by ICO which aims to help organisations understand the requirements of GDPR and how they will be interpreted in practice.
We also welcomed the opportunity to respond to the ICO’s consultation on this highly important aspect of GDPR.
We welcome the ICOs promotion and express support for use of the legitimate interests processing ground, where appropriate, as an alternative to consent.
On the whole, the Guidance was in line with our expectation apart from the requirement to name all third parties with whom personal data would be shared. Our view is that this requirement, if applied, could create significant challenges including for SMEs and start-up businesses who do not have an existing database of prospective customers that they can engage with to generate sales.
We now look forward to seeing the final Guidance on Consent which we understand will be available in December 2017, as well as its forthcoming Guidance on Legitimate Interests.
- Does Experian have processes in place to ensure that it can detect, investigate and report data breaches in accordance with GDPR requirements?
Yes, the security of all data (including personal data) that we hold is highly important to us. Not only do we implement data security measures to protect it but we also have processes and procedures in place to ensure that, in the event of a breach, it will be detected, investigated and managed efficiently.
- Does Experian conduct Privacy Impact Assessments and, if so, in what circumstances?
Privacy Impact Assessments have, for a number of years, been promoted by the ICO as a good practice measure. As a responsible data company, Experian already conducts privacy impact assessments as part of the compliance approval process for any new initiatives or changes to existing products/services which are likely to have an impact on privacy.
- In the context of the GDPR provisions relating to automated decisions and profiling, does Experian have a view on what exactly is a “legal effect” or “similarly significant effect”?
GDPR itself seeks to shed some light on this question and gives some examples of decisions that are likely to satisfy this threshold. The examples given are the automatic refusal of an online credit application or e-recruiting practices.
We look forward to hearing further from the ICO on this matter but, our view is that in order for any activity to fall within these criteria, a certain threshold of materiality must be met.
- Will there be any changes required in terms of Fair Processing Notices in order that consumer data can be used for credit assessment purposes? What will the changes entail?
As part of our drive towards complying with the enhanced information requirements set out in GDPR, we have worked through all data processing activities to re-affirm the relevant processing condition that is satisfied in order to legitimise the processing of personal data. We have also taken steps to ensure that we are aware of, and communicate to all data subjects whose personal data we process, the purposes that their personal data will be processed for.
We are currently working with the other main CRAs, major trade associations and lenders, and have engaged with the ICO to produce updated GDPR fair processing notices for use by credit providers. We are working with industry to aim for agreement of these notices by early autumn 2017.
FAQs published August 2017
If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.
Call us on 0844 481 9914 or email us HERE with your enquiry.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.