IFA Magazine spoke to FRA Chief Technology Officer Britt Endemann about the Experian data breach, and what advisers can do to protect themselves from GDPR.
In October, the Information Commissioner’s Office (ICO) released their report on the credit reference agency giant Experian, for breaching data protection law within their data broking businesses for direct marketing purposes. The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal or it could face a fine of £20m. First flagged in 2018, the ICO spent two years investigating this situation.
The report concludes that personal data collected by Experian has been traded by three firms, creating profiles used by third party commercial organisations, including political parties and charities. Experian’s CEO, Brian Cassin, disagrees with the ICO’s conclusions, saying, ‘At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements.’
IFA Magazine spoke to Britt Endemann, Forensic Risk Alliance (FRA)’s Chief Technology Officer and Co-Head of its Data Governance, Technology Solutions and Forensics practice about this situation and to find out if there were any learnings for the financial sector. Endemann is uniquely placed to comment and provide genuine insight on this situation, with her wealth of experience in conducting rigorous internal investigations on multiple regulatory issues across Europe.
Endemann started our conversation by saying, ‘across the board [at FRA] we find ourselves dealing with clients who are almost in a form of paralysis on how to deal with GDPR. ’She continued, ‘I think there’s a misunderstanding that companies are flippant and just don’t want to comply with GDPR. ’Endemann suggests this couldn’t be further from the truth, that’s it’s simply the case that many companies handling personal data just don’t know how to interpret the legislation.
For Endemann, it will be crucial going forward, for regulators to understand the magnitude of the implications of GDPR. As she explains, ‘we’re talking about changing business operations, changing staffing and revenue streams, changing how companies are doing business overnight. Even though people say it’s not overnight, it really can be for a lot of companies. ’Endemann echoed the sentiment of the data industry, that the ICO ‘needs to provide a little bit more context and detail into some of the areas of GDPR.’
Asked about whether she thought Experian’s data breach was a matter of interpretation, Endemann said, ‘the Experian case is very serious, but I think there are some interpretation issues.’ She continued, ‘I think ICO is trying to be fair, they are giving Experian a chance to go away and internally make some changes.’
Asked about the lessons to be learned within the financial industry, Endemann said the message couldn’t be more clear commenting ‘you now have the responsibility to know how your company is engaging with data. ’She continued to say that because of the newness of the legislation and the interpretation of it, the problem is widespread – ‘it’s a situation[s1] that I don’t believe they thought they would find themselves in.’
Highlighting the rapid response which businesses, across the world, undertook to combat the impact of the Covid-19 pandemic, Endemann says the issue has got even more widespread. Companies are scrambling to become 100% remote, and that process invariably violates parts of the GDPR legislation unknowingly. Putting it clearly, Endemann said, ‘This problem is far more widespread than anyone would know right now, from very large companies to the smaller and midsize companies.’
Britt offered three top tips for readers on how to avoid these GDPR mistakes and fall foul of the ICO.
First, understand how your company creates and accumulates data and how the business engages with this data before making any changes to comply with GDPR
Second, know how to identify, protect and delete personal information and customer data, rather than simply archive it under GDPR regulation
Third, seek expert advice from a consulting firm and/or law firm to review and advise on best company GDPR practices
Considering the potentially vast breaches of data laws that have happened over the course of the pandemic, Endemann said that the ICO will have to regroup, and she believes the ICO will have to be more transparent, ‘and frankly they’ll have to be a bit more forgiving.’
Endemann concluded by saying, ‘I think ICO will be rational, ’but maintained that they will have to rethink their approach to GDPR because the pandemic will have led to many more cases like Experian, at every level of industry.