Odd UK ruling on Experian to protect the financial industry

British Information Commissioner’s Office (ICO) finally ruled on the case against Experian and it was not what we expected. Experian, and several other credit rating companies, are accused of collecting data on consumers and selling that data without explicit consent. A clear violation of the General Data Protection Regulation (GDPR) one could conclude, and although UK’s ICO came to the same conclusion, it gave Experian a shocking 9 months time to comply with GDPR…

Before we have a look at what might have motivated to hand out Experian, and with that the other companies as well, another free card to clean up their mess without facing the clearly defined fines, let us start with shedding some light on how these credit scoring agencies collect, process and sell your data. There are 2 domains in which they collect information — offline and online. Although these might seem different, the process itself is mainly identical. Online is just much faster…

Credit rating agencies collect data from all thinkable and unthinkable sources, crunch these into profiles, and sell the ability to predict whether or not an individual or company will be able to pay bills and credits. When I say all thinkable and unthinkable sources, I literally mean all sources and especially the unthinkable sources are worth having a closer look at.

Let us take a simple use case to show you how this process works. Let us assume that you apply for a mobile phone contract with a duration of 2 years. The seller enters your personal data for approval, and the system will contact at least one credit scoring agency. When your rating is in the approval range, you will get the contract, and when your rating is not OK, you won’t get the contract. That simple, but as soon as we take a closer look at this process, we discover how these agencies really operate.

That simple request handed all personal data you provided to the credit scoring agency, which it sucks up in their vast database. Name, address, employment, bank account details, and whatnot else you had to provide. In case they already had an entry on you, which is almost always the case, this data is added to profile, including whether or not you got the contract and when you got the contract, it will even include how much you will pay for it. Your hungry digital twin is fed more data.

But that is not the end of what happens to your data. Far from! Algorithms are running to profile you and all others based on things like your address and more. With most agencies, your actual credit rating is based on your real data and profiling data. Profiling data you are not aware of, but it ends up in your hungry digital twin anyway.

Because it is close to impossible to have all data on everyone, there is also a gigantic market where these agencies operate as data brokers and it is not uncommon that they have agreements among each other to provide data. So, in our example of the mobile phone contract, it could have happened that the credit scoring agency did not have adequate data on you themselves but instead pulled data from other credit scoring agencies. And of course, absorbed your data into their systems. Nom nom for your digital twin…

In the online world this goes even much further. Most online shops have several payment service providers to allow you to conveniently pick the way you want pay. Neat! They also have agreements with these service providers and these service providers have agreements with, you might guess it, credit scoring agencies. And in most cases not just one!

Somewhere deep inside those Terms and Conditions, you most likely have authorized them to collect your data and hand it over to their partners, including those credit scoring agencies. We could and should have long discussions about if your consent does include consent that your data is handed over and processed into your profile, which after that is sold over and over again, and can even be used against you...

But there is something else we should discuss, something far more urgent. The entire data collection process by these payment service providers and their contracted credit scoring agencies does not start at the moment that you are in the checkout process and select a payment method for which credit approval is required. It starts long before that. With some, it starts the moment you add something to your virtual shopping cart. With others, it even starts long before you do that. Indeed, even before you initiate your first transaction.

Scripts are running in the background which are triggered by so-called magic pixels on the pages you see. Queries are started to identify you through service providers and matches are made with databases. We have already showcased that this even happens in online advertisement for web shops, so you don’t even have to visit the actual web shop to be caught in the data collection net. Nom nom nom goes your hungry digital twin.

And the collected data is added to your profiles on every instance along the way. When there are multiple service providers involved, they will all receive data about you in one way or the other. And all that without informing you. There are web shops where the decision about which payment options are offered to you is already made long before you start the checkout process.

That Experian and others are collecting data without proper consent and selling that data to whomever is willing to pay for it should be no surprise. It is a major part of their entire business model! What is a surprise is that the British Information Commissioner’s Office did not apply the full mandate and obligation it has under GDPR which would be a fine of up to 20% of the annual revenue and the binding order to stop the operations which are not compliant with GDPR. Quite a surprise! Unless…

Unless, that decision is politically motivated what appears to be the case here. London, ‘the financial capital of Europe’ is currently fighting for its role in the future. A very uncertain future! With Brexit around the corner, UK’s financial industry will lose the unrestricted access to the EU under the passporting regime and as of January 1st, 2021 be regulated as foreign financial industry. In addition, the British conventional and fintech institutions are fighting to maintain their stronghold in New York and the Asian markets. A fight where every market turned into a significant opponent. New York’s financial giants are gaining share in the Asian markets and continue to increase their footprint in London, and Asia’s fintech champions are overrunning London’s best on almost every corner. They smelled blood and are aware that London’s finance stance is weakened with several tough years ahead.

Slapping the full extend of the GDPR mandate on Experian, and all other credit scoring agencies which operate in the same or similar way, would mean another blow to the already struggling financial industry in the UK. And that in the middle of a economic crises caused by a global pandemic and Brexit in which the British Government is expecting people and companies to max out their credit capabilities to survive…!




Dad, consultant, coach, speaker, author. Mainly Cyber Security, leadership, responsible tech and organizational change. https://johannesdrooghaag.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Is Layer2 System Reboot Safe? More Importantly, Will It Affect Users Funds Safety?

Breaking into Buildings, Getting Arrested, and Red Teaming (w/ Gary DeMercurio)

The Meet Group’s Partnership with UrSafe to Set a New Standard of Dating Safety

Web Application Security Vulnerabilities You Must Be Aware Of

{UPDATE} Allo!

Maturing Organisational Security and Security Service Catalogues

HTTP vs HTTPS - When should I use HTTPS?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dr. ir Johannes Drooghaag

Dr. ir Johannes Drooghaag

Dad, consultant, coach, speaker, author. Mainly Cyber Security, leadership, responsible tech and organizational change. https://johannesdrooghaag.com

More from Medium

Shopify Vs Singlebag

Reboot, Rethink, Regenerate…and Reconvene.

I Traveled 9,102 miles on Amtrak During the Pandemic. This is What I Learned About Slow Travel.

Innovating as a Med-Ed-Tech Entrepreneur