Are you thriving under the GDPR?
Turn GDPR readiness into business as usual
Focused on the individual, with a bounty of opportunities
In its essence, the GDPR is driven by the rise in connected technology and organisations of all shapes and sizes who are now in possession of more customer information than ever before.
The Data Protection Act of 1998 was created at a time before smart-phones and social media existed and so an update to the practices surrounding personal data was long overdue. The EU’s General Data Protection Regulation (GDPR) is the result of four years of work to bring data protection legislation in line with the many ways that data is now intertwined with our daily lives as consumers and professionals.
As the amount of personal data collected and held by organisations rises, so does the responsibility for its secure storage and ethical use. Regulators recognised that the existing laws were insufficient to manage the rapid evolution of data application and privacy in an increasingly fast-paced digital landscape. In response, the EU drafted the GDPR, a new set of comprehensive regulations, which was adopted by the European Parliament and Council in April 2016 and became directly applicable in member states from 25th May 2018.
Our Global Data Management Research 2018 found that over 80% of businesses recognise the opportunity data can bring to forming their strategy and almost three quarters also admit that it’s difficult to predict where the next data challenge is coming from. Whilst many organisations are finding that increasing volumes of data can make it difficult to meet regulatory requirements, 75% have seen a return on investment from the data quality solutions they have used within their business.
To help you thrive under the GDPR, we have designed 4 solution packages that can be used independently or together to help you manage the requirements of the GDPR and prosper in our data-driven economy - Data Cataloguing, Data Integrity, Data Match and Data Breach. We believe that once a solid data foundation has been laid for your organisation, you can manage the other elements required by the GDPR including Data Subject Access Requests and Data Breach response.
With the new data protection regulations under the GDPR, there is an increased responsibility for businesses to have comprehensive insight and control of all data assets. To do that, you must know what personal data you hold, its provenance, location and all the ways in which it is being used. Without visibility on all data held, it is much harder to respond to the GDPR requirements such as access, rectification and data portability present in a range of GDPR articles.
We can provide you with a clearer picture of the types of data you store and enable you to have the confidence that all disparate but related data points can be linked to an individual identifier and retrieved as efficiently as possible. We’ll support you every step of the way - our team of data management experts will work with you to fully understand your needs, address any concerns and build a plan for success. You can rest assured that you’re in safe hands, we are experts at evaluating and improving your data quality and integrity.
Consumer Data
We use advanced cataloguing and data management tools to find and index all identifiable personal consumer data within your business systems. Next, we analyse your data systems, fingerprint and automatically add tags for the effective organisation and management of all your data sources. Finally, our advanced data management platform can then profile and compare each personal record, while our bespoke transformation rules can clean and validate records. From here, rules can be built which are designed with the GDPR in mind to help ensure that multiple records can be brought into a ‘golden’ record to create a single customer view.
Commercial Data
The identifiable data of individuals within businesses, such as work email addresses and telephone numbers, are covered by the GDPR and our data experts can help you understand the scope of this type of data you hold in order to create an accurate inventory. Using the Megafile, our comprehensive UK business database, we can provide you with a clearer picture of the data you store which represents data subjects, our data discovery services can give you the confidence that all disparate but related data points can be linked to an individual identifier and retrieved as efficiently as possible. This service includes identifying and tagging personal and sensitive data within your organisation. Discovery of this type of personal information can help you deliver compliant solutions for a range of the GDPR articles.
As a data controller, you are responsible for taking steps to ensure the personal data you hold is accurate and up to date as outlined in Article 5 of the GDPR. In addition, the Information Commissioners Office (ICO) requires demonstration that organisations have implemented measures to maintain accuracy and taken reasonable steps to erase or rectify any inaccurate personal data.
Through proper assessment, you can begin to fully understand, plan and prioritise to ensure your data is suitable for the GDPR. Our expert data quality consultants will work with you to assess the quality, accuracy and integrity of the data you hold. This Data Integrity Assessment will identify where your data gaps exist and what steps to take to be in line with the GDPR regulatory principles.
Step One: Assess your data
- We perform a thorough data analysis to verify the accuracy and overall integrity of your data
- For fast diagnosis, our Data Quality consultants will perform checks on a sample 20% of your data file
- Your data’s accuracy is measured against unique Experian reference sets, providing indicators of inaccuracies, gaps and duplications
- Our data integrity assessment looks at over 200 quality attributes such as uniqueness, completeness, frequency of values and formats
- All data will be processed at one of our secure data centres, providing you with a fast and detailed Data Readiness Assessment recommended steps to rectify issues
Step Two: Improve your data
- We can implement a ‘data fix’ strategy to rectify issues in your data, correct inaccuracies identified, recommend ‘best’ data available based on our credit and reference files
- We can provide full data suppression analysis
Step Three: Control your data
- This is not just a one-off service; our capabilities can be deployed to repeat assessments on a periodic basis or built as an ongoing business process
- Make your data as valid and current as possible both demonstrating good practise to the ICO
From May 2018, data subjects have far greater individual’s rights and control over the way in which your business stores and uses their personal data. The ICO requires you to respond quickly and effectively to requests from individuals about their personal data - you must respond to a Data Subject Access Request (DSAR) within 30 days, free of charge.
To fulfil the individual’s rights under the GDPR, your business must:
- Provide individuals access to data held on them upon request, without delay (Article 15)
- Provide individuals with the ability to have data about them rectified upon request, without undue delay (Article 16)
- Erase personal data held on individuals where certain grounds apply, without undue delay (Article 17)
- Restrict the processing of personal data held on individuals in some circumstances without delay (Articles 18 & 21)
- Transfer personal data held on individuals under certain circumstances upon request (Article 20)
Our approach to Data Match
Utilising a unique combination of linking, matching, and data management tools and services, we can deliver a consistent, single view of each of your existing individual data subjects with access via a single tool.
Consumer Data
For consumer data, our simple and sophisticated solution, ExPin, uses billions of reference data points to create a unique match key for each individual which can then be used to verify and match disparate data records. This process allows you to create a single customer view and get to know your customers better.
Commercial Data
The Megafile offers commercial data matching capabilities that can also highlight records that cannot be matched, perhaps due to lack of input or up to date data giving you the opportunity to identify necessary cleansing or enhancement work in your database(s).
Once you accurately understand how many individuals you have in your database and who they are, you will be able to respond more quickly and effectively to any data subject access requests from your customers in line with the requirements for the GDPR in addition to understanding the value of each customer to your business.
In the past 2 years, 21% of UK businesses have suffered a data breach and, this doesn’t necessarily have to be a high-profile hack of 100,000s records – 80% of data breaches are due to a simple human error such as a lost laptop or an incorrect email respondent. The growing opinion is that it’s not a matter of if, but when, a data breach will occur.
What’s important is how prepared you are and how you react when a data breach happens. Our data breach services help you to prepare by maintaining a high level of data accuracy so if the worst does happen, you can quickly and confidently contact all affected parties in a way tailored to them.
This speed and accuracy is critical in rebuilding the trust of your customers as well as meeting the requirements of the GDPR regulations.
Our approach to your data breach
Know
Identifying where potential weaknesses lie in your organisation is an important part of how we can help. We will work with you to decide the best approach for you – such as a Pre-Breach Assessment.
Prepare
We help you create and store all the necessary resources required for a quick response when a breach happens including branded landing pages, breach notification templates and a dedicated telephone number – all tailored to your situation.
Recover
When a breach occurs, we will work with you to notify all those affected as well as set up call centre support and web/credit monitoring to continue providing help and protection going forward.
Consumers are beginning to recognise the value of their data and understand that they own the data companies hold about them. With this increased awareness, consumers are also conscious of the responsibilities that come with the ownership of this data and the value it holds.
That said, this increased awareness has not meant that more consumers are shying away from sharing their data, nor has it therefore hampered the growth of the data market. In fact, people seem to be increasingly comfortable with sharing their data, on their own terms. Our recent survey* found that 49% of consumers are prepared to give their data to brands they trust, while 69% were happy for brands to use their personal information to send them discounts on products and services that they really want.
1. Rights of Individuals
Strengthening the rights of individuals as data subjects is an important factor of the GDPR and as a result, there are a number of new or enhanced data subject rights incorporated in the regulations. Two of these, the Right to be Forgotten, and Right to be Informed are explained in a more detail within this page.
2. Right to be Informed
Businesses need to make sure individuals understand who is collecting their personal data and the purposes it will be used for. This includes visibility of the controller† and processor‡, as well as explicit information about how the data will be used.
The new principle of accountability in the GDPR means there will be more of an onus on controller businesses to demonstrate compliance with the data protection principles and organisations’ privacy policies will need to be updated in line with the new requirements.
3. Right to Erasure (“Right to be Forgotten”)
A Right to Erasure has been set out clearly in the GDPR which allows individuals a qualified right to request that their data is erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected).
Businesses will have an obligation to erase the relevant personal data it holds concerning that individual within a maximum of one month of the receipt of the request.
4. Data Protection Officer (DPO)
Businesses will be required to appoint a data protection officer to help them comply with all of their obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance and is needed whether the organisation is acting as a processor or a controller where processing operations require regular or systematic monitoring of people on a large scale.
5. Obligations on data processors
Under the Data Protection Act 1998 the statutory obligations were on data controllers only. However, under the GDPR, data processors will also have obligations for example, they will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities.
Processors will be legally accountable for compliance beyond any contract terms, but reputable data processors will already have many measures in place to demonstrate compliance.
6. Data Protection Impact Assessment
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the Information Commissioners Office (‘ICO’) in the UK) without undue delay and, where feasible, within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Where the breach is likely to result in high risk to those rights and freedoms, the data controller will also need to communicate the breach to impacted individuals without excessive delay.
Exploring attitudes towards data in the UK
Download the white paper to find out more about our comprehensive research programme into this topic.
Guide to the UK General Data Protection Regulation (UK GDPR)
Find out more about the data protection regime that applies to most UK businesses and organisations.
FAQs
Data protection compliance is fundamental to our business and, as a result, Experian has taken a keen interest in GDPR since the draft text was first released many years ago as part of the EU’s legislative process. We worked diligently with the industry, clients and our internal stakeholders to assess the potential impact of GDPR on our business and the industry more generally and to identify any changes that needed to be implemented to comply with the enhanced requirements.
We recognise the importance of good, well-regulated data protection in a modern society, and we were pleased to note the final wording of GDPR does not contain anything that prevents Experian at a fundamental level from offering the services that it does, being services which are essential to consumers and organisations in their interactions with each other.
Our GDPR readiness programme is now complete. GDPR compliance is part of business-as-usual and we continue to ensure that GDPR is considered during product development and in our relationships with other organisations.
Yes, as a data business, compliance with data protection legislation is crucial. Our Executive Team have been, and continue to be, fully supportive and engaged with GDPR compliance matters. Experian is acutely aware that the 25th May was the beginning and ongoing compliance with GDPR will be a priority for our business going forward.
Yes, we have appointed a Data Protection Officer. Their contact details are available on our website www.experian.co.uk.
We saw our GDPR readiness programme as the first phase of a long term plan. As is the case for all organisations processing personal data, the important factor was not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.
We already had robust processes and procedures in place to manage compliance with existing data protection legislation and, as part of our GDPR readiness plan, we reviewed those processes and procedures to ensure that they were fit for purpose under the new regime.
As mentioned above, as part of our GDPR readiness programme, we worked through all products, services and data processing activities undertaken by Experian in order to identify what, if any, changes needed to be implemented prior to 25 May 2018. As part of this process, some product changes were made and rolled out, however GDPR does not, contain anything which, at a fundamental level, prevents Experian from providing its products and services.
Engaging with material suppliers was an important aspect of our GDPR readiness programme. We will continue to engage with suppliers about GDPR as part of business-as-usual.
Experian has many years of experience in dealing with high volumes of consumer requests in relation to credit files. Part of our GDPR readiness programme involved assessing the processes and systems we already had in place to comply with rights previously available to data subjects under the Data Protection Act 1998. As part of this assessment we also identified what, if any, changes needed to be implemented to ensure that we can comply with the enhanced rights set out in GDPR.
It is worth noting that some of the data subject rights available under GDPR are not absolute rights and, in many circumstances, will not arise. By way of example, whilst we will respond to all data subject requests received on a case-by-case basis, in relation to credit file data processed under the legitimate interests processing condition, provided that the data recorded is accurate and up-to-date, the right to erasure will not generally apply. This is because there will continue to be an overriding legitimate ground for this data to be maintained.
As part of the transparency requirements, we have worked hard to ensure that individuals are aware of, and understand, when these rights apply and when they do not, and will continue to do so.
Experian fully supports the drive towards greater transparency. Our corporate strategy seeks to put our customers at the heart of everything we do and, being open and transparent, is a crucial element of achieving that.
We worked with all stakeholders within our business, industry bodies, suppliers and clients to ensure that all privacy notices and data collection notices/journeys that feed into our business were compliant with these requirements in advance of the 25 May 2018 deadline. We also engaged with the Information Commissioner’s Office (“ICO”) to ensure that the approach being taken is in line with ICO’s expectation, particularly in the critical area of credit information transparency.
If you are a lender, please also see FAQ below ‘Will there be any changes required in terms of Fair Processing Notices in order that consumer data can be used for credit assessment purposes? What will the changes entail?’.
Experian welcomes any guidance issued by the ICO which aims to help organisations understand the requirements of GDPR and how they will be interpreted in practice.
We also welcomed the opportunity to respond to the ICO’s consultation on this highly important aspect of GDPR.
We welcome the ICO's promotion and express support for use of the legitimate interests processing ground, where appropriate, as an alternative to consent.
We also welcome the ICO’s more recent Guidance on Legitimate Interests.
Yes, the security of all data (including personal data) that we hold is highly important to us. Not only do we implement data security measures to protect it but we also have processes and procedures in place to ensure that, in the event of a breach, it will be detected, investigated and managed efficiently.
Privacy Impact Assessments have, for a number of years, been promoted by the ICO as a good practice measure. As a responsible data company, Experian already conducts privacy impact assessments as part of the compliance approval process for any new initiatives or changes to existing products/services which are likely to have an impact on privacy.
GDPR itself seeks to shed some light on this question and gives some examples of decisions that are likely to satisfy this threshold. The examples given are the automatic refusal of an online credit application or e-recruiting practices.
GDPR itself seeks to shed some light on this question and gives some examples of decisions that are likely to satisfy this threshold. The examples given are the automatic refusal of an online credit application or e-recruiting practices.
We look forward to hearing further from the ICO on this matter but, our view is that in order for any activity to fall within these criteria, a certain threshold of materiality must be met.
As part of our drive towards complying with the enhanced information requirements set out in GDPR, we have worked through all data processing activities to re-affirm the relevant processing condition that is satisfied in order to legitimise the processing of personal data. We have also taken steps to ensure that we are aware of, and communicate to all data subjects whose personal data we process, the purposes that their personal data will be processed for.
Working closely with the other main CRAs, major trade associations and lenders, and having engaged with the ICO, we produced an updated GDPR fair processing notice for use by credit providers. You can see this by clicking here.
FAQs published July 2018
Contact us
If you have any queries, please don't hesitate to contact us and a member of our team will be happy to help.
Call us on 0844 481 9914 or email us here with your enquiry.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.