How we protect your data

Experian is a responsible marketing services provider. That means we’re committed to ensuring the interests of you, as a consumer, are at the heart of everything we do.

We put safeguards in place to protect your personal data and embrace an ethical approach to ensure you come to no harm as a result of our activities.


Our ethical approach to marketing

Experian believes in an ethical approach to marketing.

We understand that some marketing activities, although perfectly legal, may still cause distress or discomfort. We constantly review the market sectors and types of organisations that we do business with, in the context of any harm or detriment our data, when used for marketing activity, might cause.

By monitoring consumer sentiment across all types of marketing, we constantly react to emerging areas of consumer concern. For example, some time ago, we decided not to provide landline or mobile numbers to organisations for the purposes of prospecting for new customers, as we recognised the intrusiveness of telephone and mobile channels when used for this marketing activity.

We encourage a culture of putting you first and protecting your data privacy rights.

This means making sure our products and services do not cause detriment to you as a consumer.

We tightly control access to our products, to ensure they are not used by brands who offer products and services that we believe could cause detriment to you, be intrusive or which create risk for vulnerable groups of consumers.

And we are members of relevant industry bodies such as the Data & Marketing Association (DMA -see our entry here on the DMA’s website). We are committed to high standards and industry codes of practice where the individual is always put first – codes such as the DMA’s Direct Marketing Code of Practice whose key principles are - respect privacy, be honest and fair, be diligent with data, and take responsibility.

Our safeguards

We’re continually developing our safeguards and controls that protect your data privacy.

As part of these safeguarding measures, we:

  • Follow industry controls and codes of practice around the use of data for marketing
  • Make sure our suppliers and clients are diligently assessed
  • Ensure only the minimum amount of personal information needed for processing purposes is collected and retained
  • Manage the quality and accuracy of personal data, keeping it up-to-date and fit for purpose
  • Are transparent about your data, how we use it, who we share it with, and how you can opt out of future marketing
  • Keep your data secure in the UK and overseas with appropriate security measures
  • Only retain your data for a reasonable period of time
  • Protect your personal data and rights

Let’s look at some of these safeguards in more detail.

Industry controls and codes of practice

We seek to align to best practices laid down by the Information Commissioner’s Office (ICO) as well as the European Interactive Digital Advertising Alliance (EDAA), and we’re active members of the Data & Marketing Association (DMA).

Plus, we use controls like industry suppression lists to check our data is accurate and that any marketing preferences you have expressed are respected.

Assessing our suppliers and clients

We have processes of due diligence when choosing suppliers and clients to work with, and we continually monitor these relationships. We only work with organisations who meet our high standards of compliance with data protection requirements.

This is to make sure that we don’t use personal data in a way that could cause harm to you. We require both suppliers and clients to use appropriate security measures to safeguard your information.

Collecting the minimum data required

Often referred to in data protection regulation as “data minimisation”, we ensure that only the minimum amount of personal information needed for processing purposes is collected by us.

We do this through measures such as:

  • tightly defining the format of any data sent to Experian, ensuring that only variables required for the processing are supplied by our data partners. Our internal processes will reject any data not supplied in the agreed format
  • when data is transferred externally to clients, only the minimum amount of data is transferred for the task. This data is anonymised where personal data is not required for processing

Keeping your data secure in the UK and overseas

We take a number of steps to ensure that your data is kept safe. We anonymise personal data wherever possible so that it cannot be used to identify you. We only use and process data for its intended purpose, which is called data minimisation. And we use multiple layers of data encryption where appropriate.

Experian is based in the UK. All personal data we store is held in the UK in purpose-built data centres with multiple forms of physical security.

We and our clients also operate elsewhere in the world, and may access your personal information from these locations as well. While countries in the European Economic Area ensure rigorous data protection laws, other countries may not provide the same level standard of legal protection when it comes to your information.

However, to make sure we keep your personal data safe, we apply strict safeguards when transferring it overseas.

This might mean sending your information to countries approved by the European Commission as having high quality data protection laws, such as Switzerland, Canada and the Isle of Man, or a member organisation that’s similarly approved. Or it might mean putting in place a contract with the recipient of your personal information that provides a suitable level of protection.

Experian’s US group companies are EU-US Privacy Shield certified. This means that they’re considered by the European Commission to have adequate data protection, and can therefore facilitate the transfer of EU data to the United States.

Retaining your data for a reasonable time

We keep your personal information for as long as we need to provide marketing services for our clients, and no longer.

Sometimes we may need to keep your data to comply with our legal obligations, resolve any disputes, or enforce our rights. These reasons can differ based on the type of information and the service we’re offering, so the amount of time we keep your personal data may vary.

In all cases, our need to store and use your personal information will be reassessed on a regular basis. Any information we no longer require is safely disposed of.

For more detail on the retention periods that apply to each category of personal data we might hold about you, click each of the sections below.

  • Postal Direct Marketing
  • Contact data obtained from data partners to enable Direct Marketing from our marketing database.

    Our postal marketing database is rebuilt monthly to ensure that data held is up-to-date and as accurate as possible. The raw input contact data (names and postal addresses) from our data partners, which is provided to us monthly, is retained for 2 months for back-up purposes to allow for one full refresh of the product to be completed prior to deletion of the input data.

    The monthly "built" marketing database file is retained and archived for 12 months to allow for the investigation of Data Subject queries. Contact data held within this live database may have been collected by the supplier 0-24 months previously.

  • Email Prospect Marketing
  • Email data obtained from data partners to enable us to create relevant marketing audiences for deployment via email.

    Our email marketing database is rebuilt monthly to ensure that data held is up-to-date and as accurate as possible. The raw input contact data (names, postal address and email addresses) from our data partners, which is provided to us monthly, is retained for 2 months for back-up purposes to allow for one full refresh of the product to be completed prior to deletion of the input data. We only retain the live version of the built product.

    Note: Experian do not provide lists of contact email addresses directly to third party organisations. The sending of the email, to communicate offers from relevant brands or organisations, is sent to a data subject directly by the organisation to whom they gave their consent to be contacted with email marketing offers.

  • Insight
  • Identities, models, segmentations for insight purposes.

    Our attributes, propensities and segmentations are linked to the names and postal addresses of UK adults on our marketing database.

    As above, the input data (names and postal addresses) is retained for 2 months for back up purposes, to allow for one full refresh of the product to be completed prior to deletion of the input data. The "built" marketing database file is retained and archived for 12 months to allow for the investigation of Data Subject queries.

  • Marketing Data Quality and Suppressions data
  • Any personal data supplied by 3rd parties for suppression purposes is supplied monthly and previous data is then deleted.

    Our own 'built' marketing suppression files are retained for 2 months after each monthly build (the 'live' and previous version) before deletion.

    Records added to our NMR (Non-Marketing Request) file, required to suppress data subjects from Experian processing their data for direct marketing purposes if requested, are kept indefinitely. This is to ensure that at any point in the future, Experian data relating to that data subject is not processed for directing marketing purposes (including any profiling that supports direct marketing).

  • Credit Marketing Suppressions
  • The raw input data is retained for 2 months for back up purposes, to allow for one full refresh of the product to be completed prior to deletion. Historical "built" suppression files are retained for a period of up to 6 years, aligned with the time period required for it to be held within Experian's Bureau Data, and for analysis purposes only by our clients to understand their retrospective risk profile to ensure responsible marketing of credit products.

  • Identification of Individuals
  • Name and contact data is stored indefinitely, to support identity resolution for marketing purposes. This helps correctly identify unique individuals regardless of the presentation of names and addresses and therefore enables us to keep your data accurate and up to date.

    It also supports 'linkage' to connect our marketing data to digital sources (unless a data subject objects to direct marketing in which case the record is deleted). This helps our clients in making sure the offers and services marketed to you are relevant and consistent across all marketing channels, providing you with a better overall experience.

Protecting your personal data and rights

At Experian we have a number of processes running through our whole business to ensure we protect your data and rights.

Our Compliance team and our Product and Solutions Review Boards consider the impact of any use of personal data in our products and services before it takes place. This is so any potential negative impacts to you, can be identified and eliminated.

And we regularly run audits of all our marketing activities, giving us independent assurance that data protection and privacy principles are adhered to and that consumers are being treated fairly.

Finally, everyone at Experian must participate in regular data protection training.

 

Last updated: 8th February 2019