DMA Customer Data Council: Responding to the ICO'S Experian Enforcement Notice

This article is written by the Thought Leadership and Best Practice hub of the Customer Data Council.

Hear from the Customer Data Council’s Thought Leadership and Best Practice Hub about the wider implications of the ICO’s enforcement notice against Experian and what steps you can take next.

In October the ICO issued an enforcement notice against Experian in a legal first step to halt data processing here.

Recent discussions by the DMA’s Customer Data Council recognise the impact this has especially on organisations processing third party data, with the DMA receiving enquiries from across its member base.

The Council’s Best Practice Hub has some recommendations to follow whilst we await the outcome of Experian’s appeal against the notice.

Don’t Panic

The knee jerk reaction to minimise your own risk is to halt any kind of processing that is affected by the enforcement notice. However, whilst the enforcement notice is being appealed it is on hold – so if you had previously understood your processes to be compliant you should treat it as a watching brief. In the midst of a challenging climate and with Christmas approaching, it is important that you don’t simply turn off the tap. Working with third party data is going to be vital for organisations in the coming months.

Review the DMA’s resources on Third-Party data

The current Third Party best practice guidance is still the accepted standard to date and will continue to be so until further clarification is received. Make sure you review this and check your data processing practices against this.

The DMA has a host of other helpful resources such as the channel Best Practice guides here, as well as white papers including third party email list rental and lead generation.

Ensure Accountability

The DMA’s Director of Policy and Compliance, John Mitchison, has summed up the key findings of the notice. It is important you understand the notice and check your own processing, especially against those points.

One of the most important elements of the GDPR is accountability. Make sure you are abiding by your legal basis, ensure your data mapping is up to date, log examples of data capture statements and processing notices presented to audiences (the what and the when) and include examples of opt-out opportunities. Make sure your logs of withdrawals, complaints and access requests are up to date. Take this opportunity to edit or review privacy policies and contact details to ensure processing notices are clear and up-to-date. And do not treat these as just a paper exercise, be brutally honest they still stand and live by your words.

Reach out to the DMA

It is important for us to understand the queries and concerns our members have, which we are here to help with. If you have any concerns, please do get in touch with us. You can find out how best to do this, here.

Check in

The DMA is committed to understanding the ICO’s ruling, as well as the basis for Experian’s appeal and will be reviewing and reporting on the situation. Please look out for further information on the DMA website.