ICO issues enforcement notice against Experian

October 27th 2020 saw the Information Commissioner issue an ‘Enforcement Notice’ against Experian, under DPA18, for its processing of personal data for ‘offline marketing services’. The notice covers 3 substantive issues:

  1. Fair & Transparent Processing
  2. Article 14 GDPR (Failing to notify data subjects about Experian’s processing of their personal data)
  3. Failure to properly assess the lawful basis of processing

The ICO chose enforcement rather than fines because it assessed it was the “most effective and proportionate way to achieve compliance”.

This followed a 2 year ‘Investigation into data protection compliance in the direct marketing data broking sector’.

This document looks at how credit reference agencies have also been processing and supplying data for direct marketing.

The ICO recognised:

The data broking sector provides a valuable service to support organisations across the UK.

Despite this they stated:

data brokers must comply with data protection law.

Experian, a titan of the data world, fully cooperated with the ICO in the investigation. Experian believed they had prepared thoroughly for GDPR and the new compliance regime, yet the ICO nonetheless perceived weaknesses.

So, if you conduct direct marketing, you should be aware of the themes of non-compliance the ICO highlighted, they demonstrate areas of concern and likely enforcement.

Transparency and fairness

You must provide the information required by Article 14 of GDPR, now commonly known as a Fair Processing Notice, to each data subject. It must explain all the processing you undertake in clear and simple terms.

Processing of data for other purposes

You must only process personal data for the purposes you have told the data subject about.

Lawful basis for processing

There are really only 2 suitable bases for processing for direct marketing purposes, “consent” or “legitimate interests”. You must choose the correct one, and you must only use it in the way you have chosen. Any consent you rely upon must meet GDPR requirements for valid consent.

Legitimate interest assessments

These assessments allow you to show you have impartially considered your legitimate interests against the risks to the rights and freedoms of data subjects. You should always conduct these and retain the evidence. (Please note: if you license data from Corpdata, we will normally help you to produce a draft Legitimate Interest Assessment free of charge!)

Other things we learn

Honeytraps and online ‘publicly available personal data’

The ICO has undertaken proactive investigative work by “seeding personal data online” to show how data was obtained and used.

If you harvest online information you may stumble across these ‘honeytraps’. If you process personal data harvested online or process publicly available personal data, you must always provide a Fair Processing Notice to the data subject.


Experian tried to assert it would require a disproportionate effort to provide a Fair Processing Notice to all data subjects (about 50 million). The ICO disagreed. You may not rely upon this argument, especially where the processing is likely to be ‘unexpected’ by the data subject.

Due diligence

The ICO is also keen to educate, so have published information for customers of data broking services, including a non-exhaustive approach to due diligence. (If you would also like to see the advice about choosing a data supplier Corpdata produced in 2017, you can find it here.)


Source ** CorpData

#privacy #gdpr #ccpa #data #dataprivacy #compliance

Previous Post

Data Breach: NY Regulator Finds Social Network Lacked Appropriate Security

Next Post

Hacker: ICO UK Fines Ticket Company £1.25 Million For Data Breach

Related Posts