General Information Notice to Experian’s Business Information Compliance Customers

Version 1: Adopted: 6 February 2020

This notice provides information related to the personal data that Experian uses for their Business Information (BI) Compliance product suite. ‘Compliance’ products are designed to help our Business Customers identify and prevent illegal and fraudulent activity as well as meet their regulatory requirements. Such products may often be referred to as ‘Anti Money Laundering’ (AML) or ‘Know Your Customer’ (KYC) products.

Experian’s UK&I business acts as a credit reference agency (CRA) which collects, maintains and shares data on Businesses and directors of Businesses in order to be able to provide compliance services. This document will outline the sources of that data and the way that it is used for Experian BI’s compliance products. For more detailed information on the collection and processing of consumer credit information by Experian and other CRAs please visit www.experian.co.uk/crain

This document answers these questions:

  1. Who is Experian BI and how can I contact them?
  2. What kinds of personal data does Experian BI use, and where do they get it?
  3. What does personal data get used for in compliance products?
  4. What are Experian BI’s legal grounds for handling personal data?
  5. Who does Experian BI share personal data with?
  6. Where is personal data stored and sent?
  7. For how long is personal data retained?
  8. Do the credit reference agencies make decisions about me or profile me?
  9. What can I do if I want to see the personal data held about me?
  10. What can I do if my personal data is wrong?
  11. Can I restrict what the Credit Reference Agencies do with my personal data?
  12. Who can I complain to if I am unhappy about the use of personal data?
  13. Credit Reference Agency
1. WHO IS EXPERIAN BI AND HOW CAN I CONTACT THEM?

Experian BI, Experian pH and Experian Business Assist are wholly owned business units of Experian Ltd and can be contacted at:

Business Unit Contact details
Experian Limited  

Post: Experian, PO BOX 9000, Nottingham, NG80 7WF

Web Address: https://www.experian.co.uk/business/contact-us/

2. WHAT KINDS OF PERSONAL DATA DOES EXPERIAN BI USE, AND WHERE DO THEY GET IT?

Experian BI obtains and uses Business information from a variety of sources. Linked to these businesses are contact details for senior decision makers and representatives of businesses for example Head of IT, Branch Manager, Operations Director, etc. We hold similar contact information on Company Directors, shareholders and ultimate beneficial owners of businesses.

For the purposes of data protection, all information relating to non-registered businesses is defined as personal data; this includes sole traders and ordinary non-registered partnerships. This is because the business is not a legal entity and is run in the name of the owner(s).

We have outlined the sources of data used for compliance products in the following table:

Data Category Source Type of Data
Government Companies House This is the government database of business registrations and filing updates, which includes all registered businesses – Limited companies, Public Limited Companies (PLCs) and limited liability partnerships (LLPs). Included within this information are the details of a business’s directors (including Usual Residential Addresses), shareholders, secretaries and other persons of significant control.
Government Open Government License (OGL) This includes various datasets released by the government under the terms of the Open Government Licence for example, Food Standards Agency, Council data, Vehicle & Operator data.
Government HMRC Data held by the HMRC aiding their collection of taxes such as the VAT Register.
Publicly Published Directories Private companies who publish business directories online Basic business details (name, service address, multiple contacts) collected and verified by phone or online. For example, 118 Market Location.
Specialist contact directories Private companies who collect specific data on specific businesses or types of organisations Basic business details (name, service address, multiple contacts) collected and verified by a range of methods (generally by phone) on specific sectors e.g. IT, fleet, public sector, retail. For example, local data company.
Private registers Private organisations e.g. Financial Conduct Authority list of authorised companies. Politically Exposed Persons (PEPs) and Sanctions lists.
Public data Government Gambling Commission, Charities Commission.
Credit Reference Agency data Experian commercial credit bureau (for more information see section below table) Public record information such as County Court Judgements. Information about how well a business pays its invoices and finance agreements.
Current Account Turnover (CATO) Banks, building societies and basic bank account providers Providers can share current account debit and credit data, which can be used to help validate income, assess affordability and manage risk. Following the principles of reciprocity, organisations must share data to gain access to the data shared by other similar organisations.

The types of data these provide for compliance purposes are listed below:

Firmographic Data

  • Sector
  • Size (may be measured by sales revenue, employee numbers, numbers of sites)
  • Age of Business
  • Headquarter and branch locations
  • Presence of money services

Company financials

  • Filed Accounts - Current
  • Filed Accounts - Historic Trends

Company Ownership Structures

  • Ultimate beneficial owners
  • Persons of significant control
  • Company Director linkages and associations

Contact Details

  • Individual Name
  • Job Title
  • Phone Numbers
  • Service Address
  • Director usual residential address (URA) for verification. The URA is not shared in any Experian BI products

For non-registered businesses (sole traders and partnerships) all of the above data, if available, is considered personal data.
For registered businesses (e.g. limited companies) and public sector organisations only the contact details are personal data.

3. WHAT DOES PERSONAL DATA GET USED FOR IN COMPLIANCE PRODUCTS?

Database Creation Activities

Experian carry out certain processing activities internally, tidying up and linking data from several different sources to make one database which contains all of the information we need for our products in one place. For example:

  • Data loading: Data supplied to Experian BI is checked for accuracy and quality to make sure it’s fit for purpose. These checks pick up things like irregular spellings in names and addresses and inconsistencies in data items from different sources which we then correct in our own database.
  • Data matching: Where data is supplied to Experian BI without a common identifier (such as a Companies House number) it is matched together using business name and address to ensure data on a business from different sources is assigned to the same business in our database. The matching process considers discrepancies like spelling mistakes or different versions of a business’s name and address. Our matching techniques use proprietary algorithms enabling Experian BI to achieve very high accuracy rates in matching.
  • Data linking: Beyond linking businesses together in their database Experian BI also creates links between different companies, for example, showing information about Company ownership, Shareholders and Directors who are associated with each other.

Automated Portfolio monitoring – helping our clients focus their time on investigating the right businesses

The information Experian gathers is used to create models to more effectively identify within the population of businesses those that have particular attributes that may represent more risk of fraudulent activity.

The models and risk scores we generate are based on information that is attributable to the business and includes items such as:

  • Ultimate Beneficial Owners (UBOs), Shareholders and Company Directors
  • Business activity – industry classifications, official memberships and registers (e.g. Charity Commission, Gambling Commission, etc)
  • Age of business
  • Legal status
  • Financial position (as reported on filed accounts)
  • VAT Registration Number (or lack of)

It is important to note that Experian BI does not make any decision about how to use these risk related scores and outputs. It is always the client who makes the decision on the purposes for which the scores that we create are used.

Verifying Business Information - helping financial institutions prove they know their customers and prevent fraud

To help our clients meet their regulatory obligations we verify and update information on their customers to help them ensure that the due diligence required for Anti Money Laundering and other legal obligations they have, are met.

Typically, this happens when a Business or a Person applies to an organisation for a business product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by Experian to see if they’re correct. This helps Experian’s clients to confirm the person they are dealing with is not trying to commit some form of fraud and that the product they are applying for is appropriate. In some cases, we will enhance this information with registered office information, legal status and other information that enables the client to classify and understand their customers in more depth.

One important aspect is to identify the Ultimate Beneficial Owners of businesses and Persons of Significant Control. The identification of such individuals is strictly carried out in response to a client request for this data as part of their legal requirements and is not provided for any marketing purposes.

A further use would be to link company Directors across businesses to ensure that any connected relationships are identified and can be investigated if necessary.

Other Activities

Experian also acts as a credit reference agency and so your information may be used in “credit” services provided as required or permitted by law. More information available here: www.experian.co.uk/crain

4. WHAT ARE EXPERIAN BI'S LEGAL GROUNDS FOR HANDLING PERSONAL DATA?

Legitimate interests

The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects.

The law calls this the Legitimate Interests condition for personal data processing.

The Legitimate Interests being pursued here are:

Interest Explanation
Experian has a legitimate interest in running a successful data business which generates revenue by helping businesses understand their customers better, avoid bad debt and help to detect fraudulent activity Experian provide risk assessed, appropriate, accurate business contact data to client businesses wishing to provide financial services. This allows clients to accelerate the account opening processes for reputable businesses while highlighting riskier businesses or potentially fraudulent activity.
Providing B2B financial service providers a clear view of their customers Experian gather appropriate information on businesses and connected persons in order to ensure clients have as much relevant information on their end customers as possible. This helps clients to meet regulatory standards for Compliance, AML and KYC purposes.
Helping B2B providers of financial services to prevent and detect fraud Experian gather appropriate information on businesses highlighting those that represent increased risk for their clients. This accelerates the onboarding process for many businesses while also reducing the risk of fraudulent activity and bad debt to clients.
Supporting affordability and credit risk processes Experian combines business data it holds with current account turnover (CATO) data from banks to provide enhanced affordability checks to is clients. This prevents businesses from taking banking products and services that are inappropriate for them or that they cannot afford.
5. WHO DOES EXPERIAN BI SHARE PERSONAL DATA WITH?

This section describes the types of recipient Experian BI shares data with. There are strict access control processes in place. For example, before we share data with any another organisation, we do due diligence appropriate for the organisation type and always ensure protections and data security terms are included in our contracts with these organisations.

Clients

Experian BI provides business contact and analytical data to businesses wishing to meet compliance and risk requirements. Various checks are completed on new clients to ensure they will use the data for assessment purposes only.

Processors

Experian may use other organisations to perform tasks on our behalf (for example; data validation).

Individuals

People are entitled to obtain copies of the personal data Experian BI hold about them. You can find out how to do this in the section what can I do if I want to see the personal data held about me below.

Public bodies, law enforcement and regulators

The police and other law enforcement agencies, as well as public bodies like local and central authorities and our regulators, can sometimes request Experian to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.

6. WHERE IS PERSONAL DATA STORED AND SENT?

Experian BI holds its main databases within the UK in the Experian secure data centre. Some data is held in secure ‘cloud’ storage. Experian BI also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed from those locations too. In both cases, the personal data use in those locations is protected by European data protection standards.

Sometimes Experian BI will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when a processor or client is based overseas or uses overseas data centres.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. Thus, when Experian does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:

  • Sending the data to a country that’s been approved by the European authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland and Canada.
  • Putting in place a contract with the recipient containing terms approved by the European authorities as providing a suitable level of protection.
  • Sending the data to an organisation which is a member of a scheme that’s been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities. Another example is Binding Corporate Rules.
7. FOR HOW LONG IS PERSONAL DATA RETAINED?

Identifiers

Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for the purposes it was collected for will be disposed of.

However, much of this data is used to match and track the historic movements in business identities and therefore requires on-going retention to ensure we can accurately match data even though ownership, trading styles and locations may have changed over time.

Other data

Other third party supplied data such as politically exposed persons (PEPs) & sanctions data will be stored for a period determined by criteria such as the agreed contractual terms.

Archived data

Experian BI may hold data in an archived form for longer than the periods described above, for research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.

8. DO THE CREDIT REFERENCE AGENCIES MAKE DECISIONS ABOUT ME OR PROFILE ME?

We don’t tell our clients which businesses should be offered a product or service, that is for the client to decide. However, we do provide data and analytics that help clients make decisions about which businesses it wishes to engage with. The models and data Experian provide are often a valuable tool in the client’s overall processes and criteria they use to make their decisions. A client’s own data, knowledge, processes and practices will also generally play a significant role in their business decisions - and their decisions will always remain for them to make which is something we make clear in our client contracts.

Models

Experian does use the data we obtain to produce some risk related scores and assessments that clients use, as described above. However, it is for the client to decide how to use this information.

9. WHAT CAN I DO IF I WANT TO SEE THE PERSONAL DATA HELD ABOUT ME?

Data access right

You have a right to find out what personal data Experian BI holds about you. There is detailed information on our website.

Each CRA provides more information about access rights on their websites.

Experian

To get online information:

‘Consumer’ personal data held on you can be requested here:

https://www.experian.co.uk/consumer/data-access

‘Business’ personal data held on you can be requested here:

https://bis-dqp.uk.experian.com/

To make a request by post:

Customer Support Centre, Experian Ltd, PO BOX 9000, Nottingham, NG80 7WF

10. WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?

When we receive personal data, we perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, we rely on the suppliers to provide accurate data.

If you think that any personal data we hold about you is wrong or incomplete, you have the right to challenge it. We can tell you who supplied the data to us so you can contact that supplier and have the data corrected at source. It is best to do this as that supplier might also supply other marketing service providers.

If you’d like to do this, you should contact us using the contact details in contact us section above.

11. CAN I RESTRICT WHAT THE CREDIT REFERENCE AGENCIES DO WITH MY PERSONAL DATA?

As described in Section 2 the data on your business which may include personal data will be used to prevent fraud and comply with anti-money laundering and other legislation that is there for your protection or the protection of another natural or legal person. In this case, asking us to restrict how we use your personal data is not an absolute right. Your rights are set out at Article 18 of the GDPR. Experian will consider and respond to requests we receive to restrict processing for these purposes.

Please note that given the importance of records for the purposes of preventing fraud and complying with anti-money laundering and other legislation, it will usually be appropriate to continue processing this data, in particular to protect the rights of another natural or legal person (for example a lender) or because it’s an important public interest of the union or member state.

12. WHO CAN I COMPLAIN TO IF I AM UNHAPPY ABOUT THE USE OF PERSONAL DATA?

Experian BI is committed to deliver excellent customer service levels but if you’re not happy you should contact us so we can investigate your concerns.

Business Unit Contact Details
Experian Limited

Post: Experian, PO BOX 8000, Nottingham, NG80 7WF

Email: complaints@uk.experian.com

Phone: 0344 481 0800 or 0800 013 8888

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  1. Phone on 0303 123 1113
  2. Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  3. Going to their website at

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  1. Phone on 0303 123 1113
  2. Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  3. Going to their website at www.ico.org.uk
13. CREDIT REFERENCE AGENCY

Experian may hold your data in your capacity as a consumer because it also operates as a Credit Reference Agency (CRA). For further information about how a CRA works, please follow this link to the CRA Information Notice (CRAIN). The CRAIN is intended to provide a concise overview of the key points.

The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.