Experian's GDPR Readiness Programme

As a partner of Experian, we understand that you are likely to have some questions around what Experian has been doing, and is doing, to comply with the General Data Protection Regulation (GDPR). As such, we have produced a series of frequently asked questions which should cover some, if not all, of those questions.

Experian’s approach to GDPR readiness

  • Did Experian undergo a GDPR readiness programme and, if so, what is its current status?
  • Data protection compliance is fundamental to our business and, as a result, Experian has taken a keen interest in GDPR since the draft text was first released many years ago as part of the EU’s legislative process. We worked diligently with the industry, clients and our internal stakeholders to assess the potential impact of GDPR on our business and the industry more generally and to identify any changes that needed to be implemented to comply with the enhanced requirements.

    We recognise the importance of good, well-regulated data protection in a modern society, and we were pleased to note the final wording of GDPR does not contain anything that prevents Experian at a fundamental level from offering the services that it does, being services which are essential to consumers and organisations in their interactions with each other.

    Our GDPR readiness programme is now complete. GDPR compliance is part of business-as-usual and we continue to ensure that GDPR is considered during product development and in our relationships with other organisations.

  • Is Experian’s GDPR readiness programme sponsored by the Executive Team?
  • Yes, as a data business, compliance with data protection legislation is crucial. Our Executive Team have been, and continue to be, fully supportive and engaged with GDPR compliance matters. Experian is acutely aware that the 25th May was the beginning and ongoing compliance with GDPR will be a priority for our business going forward.

  • How does Experian ensure that it maintains compliance with the requirements of GDPR, on an ongoing basis, post 25 May 2018?
  • We saw our GDPR readiness programme as the first phase of a long term plan. As is the case for all organisations processing personal data, the important factor was not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.

    We already had robust processes and procedures in place to manage compliance with existing data protection legislation and, as part of our GDPR readiness plan, we reviewed those processes and procedures to ensure that they were fit for purpose under the new regime.

Supplier engagement

Enhanced requirements, data subjects’ rights and consent

  • Has Experian implemented processes and procedures to be able to comply with the data subjects’ rights provided for in GDPR?
  • Experian has many years of experience in dealing with high volumes of consumer requests in relation to credit files. Part of our GDPR readiness programme involved assessing the processes and systems we already had in place to comply with rights previously available to data subjects under the Data Protection Act 1998. As part of this assessment we also identified what, if any, changes needed to be implemented to ensure that we can comply with the enhanced rights set out in GDPR.

    It is worth noting that some of the data subject rights available under GDPR are not absolute rights and, in many circumstances, will not arise. By way of example, whilst we will respond to all data subject requests received on a case-by-case basis, in relation to credit file data processed under the legitimate interests processing condition, provided that the data recorded is accurate and up-to-date, the right to erasure will not generally apply. This is because there will continue to be an overriding legitimate ground for this data to be maintained.

    As part of the transparency requirements, we have worked hard to ensure that individuals are aware of, and understand, when these rights apply and when they do not, and will continue to do so.

  • What is Experian doing to ensure that it complies with the enhanced information requirements set out in GDPR?
  • Experian fully supports the drive towards greater transparency. Our corporate strategy seeks to put our customers at the heart of everything we do and, being open and transparent, is a crucial element of achieving that.

    We worked with all stakeholders within our business, industry bodies, suppliers and clients to ensure that all privacy notices and data collection notices/journeys that feed into our business were compliant with these requirements in advance of the 25 May 2018 deadline. We also engaged with the Information Commissioner’s Office (“ICO”) to ensure that the approach being taken is in line with ICO’s expectation, particularly in the critical area of credit information transparency.

    If you are a lender, please also see FAQ below ‘Will there be any changes required in terms of Fair Processing Notices in order that consumer data can be used for credit assessment purposes? What will the changes entail?’.

  • Does Experian conduct Privacy Impact Assessments and, if so, in what circumstances?
  • Privacy Impact Assessments have, for a number of years, been promoted by the ICO as a good practice measure. As a responsible data company, Experian already conducts privacy impact assessments as part of the compliance approval process for any new initiatives or changes to existing products/services which are likely to have an impact on privacy.

Automated decisions and profiling

FAQs published July 2018

To return to the GDPR hub page click HERE.

Contact us

If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.

Call us on 0844 481 9914 or email us here with your enquiry.

Contact us

If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.

Call us on 0844 481 9914 or email us HERE with your enquiry.

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.