Frequently Asked Questions

Download the FAQs

Experian's GDPR Readiness Programme

As a partner of Experian, we understand that you are likely to have some questions around what Experian has been doing, and is doing, to comply with the General Data Protection Regulation (GDPR). As such, we have produced a series of frequently asked questions which should cover some, if not all, of those questions.

Experian’s approach to GDPR readiness

Data protection compliance is fundamental to our business and, as a result, Experian has taken a keen interest in GDPR since the draft text was first released many years ago as part of the EU’s legislative process. We worked diligently with the industry, clients and our internal stakeholders to assess the potential impact of GDPR on our business and the industry more generally and to identify any changes that needed to be implemented to comply with the enhanced requirements.

We recognise the importance of good, well-regulated data protection in a modern society, and we were pleased to note the final wording of GDPR does not contain anything that prevents Experian at a fundamental level from offering the services that it does, being services which are essential to consumers and organisations in their interactions with each other.

Our GDPR readiness programme is now complete. GDPR compliance is part of business-as-usual and we continue to ensure that GDPR is considered during product development and in our relationships with other organisations.

Yes, as a data business, compliance with data protection legislation is crucial. Our Executive Team have been, and continue to be, fully supportive and engaged with GDPR compliance matters. Experian is acutely aware that the 25th May was the beginning and ongoing compliance with GDPR will be a priority for our business going forward.

Yes, we have appointed a Data Protection Officer. Their contact details are available on our website

We saw our GDPR readiness programme as the first phase of a long term plan. As is the case for all organisations processing personal data, the important factor was not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.

We already had robust processes and procedures in place to manage compliance with existing data protection legislation and, as part of our GDPR readiness plan, we reviewed those processes and procedures to ensure that they were fit for purpose under the new regime.

As mentioned above, as part of our GDPR readiness programme, we worked through all products, services and data processing activities undertaken by Experian in order to identify what, if any, changes needed to be implemented prior to 25 May 2018. As part of this process, some product changes were made and rolled out, however GDPR does not, contain anything which, at a fundamental level, prevents Experian from providing its products and services.

Supplier engagement

Engaging with material suppliers was an important aspect of our GDPR readiness programme. We will continue to engage with suppliers about GDPR as part of business-as-usual.

Enhanced requirements, data subjects’ rights and consent

Experian has many years of experience in dealing with high volumes of consumer requests in relation to credit files. Part of our GDPR readiness programme involved assessing the processes and systems we already had in place to comply with rights previously available to data subjects under the Data Protection Act 1998. As part of this assessment we also identified what, if any, changes needed to be implemented to ensure that we can comply with the enhanced rights set out in GDPR.

It is worth noting that some of the data subject rights available under GDPR are not absolute rights and, in many circumstances, will not arise. By way of example, whilst we will respond to all data subject requests received on a case-by-case basis, in relation to credit file data processed under the legitimate interests processing condition, provided that the data recorded is accurate and up-to-date, the right to erasure will not generally apply. This is because there will continue to be an overriding legitimate ground for this data to be maintained.

As part of the transparency requirements, we have worked hard to ensure that individuals are aware of, and understand, when these rights apply and when they do not, and will continue to do so.

Experian fully supports the drive towards greater transparency. Our corporate strategy seeks to put our customers at the heart of everything we do and, being open and transparent, is a crucial element of achieving that.

We worked with all stakeholders within our business, industry bodies, suppliers and clients to ensure that all privacy notices and data collection notices/journeys that feed into our business were compliant with these requirements in advance of the 25 May 2018 deadline. We also engaged with the Information Commissioner’s Office (“ICO”) to ensure that the approach being taken is in line with ICO’s expectation, particularly in the critical area of credit information transparency.

If you are a lender, please also see FAQ below ‘Will there be any changes required in terms of Fair Processing Notices in order that consumer data can be used for credit assessment purposes? What will the changes entail?’.

Experian welcomes any guidance issued by the ICO which aims to help organisations understand the requirements of GDPR and how they will be interpreted in practice.

We also welcomed the opportunity to respond to the ICO’s consultation on this highly important aspect of GDPR.

We welcome the ICO's promotion and express support for use of the legitimate interests processing ground, where appropriate, as an alternative to consent.

We also welcome the ICO’s more recent Guidance on Legitimate Interests.

Yes, the security of all data (including personal data) that we hold is highly important to us. Not only do we implement data security measures to protect it but we also have processes and procedures in place to ensure that, in the event of a breach, it will be detected, investigated and managed efficiently.

Privacy Impact Assessments have, for a number of years, been promoted by the ICO as a good practice measure. As a responsible data company, Experian already conducts privacy impact assessments as part of the compliance approval process for any new initiatives or changes to existing products/services which are likely to have an impact on privacy.

Automated decisions and profiling

GDPR itself seeks to shed some light on this question and gives some examples of decisions that are likely to satisfy this threshold. The examples given are the automatic refusal of an online credit application or e-recruiting practices.

GDPR itself seeks to shed some light on this question and gives some examples of decisions that are likely to satisfy this threshold. The examples given are the automatic refusal of an online credit application or e-recruiting practices.

We look forward to hearing further from the ICO on this matter but, our view is that in order for any activity to fall within these criteria, a certain threshold of materiality must be met.

As part of our drive towards complying with the enhanced information requirements set out in GDPR, we have worked through all data processing activities to re-affirm the relevant processing condition that is satisfied in order to legitimise the processing of personal data. We have also taken steps to ensure that we are aware of, and communicate to all data subjects whose personal data we process, the purposes that their personal data will be processed for.

Working closely with the other main CRAs, major trade associations and lenders, and having engaged with the ICO, we produced an updated GDPR fair processing notice for use by credit providers. You can see this by clicking here.

FAQs published July 2018

To return to the GDPR hub page click HERE.

Contact us

If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.

Call us on 0844 481 9914 or email us here with your enquiry.

Contact us

If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.

Call us on 0844 481 9914 or email us HERE with your enquiry.

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.