Treating data with respect

Treating_data_with_respect_icon.eps

Data is at the heart of our business. We are entrusted with data on 1.4 billion people and 191 million businesses worldwide. This year we have developed our Global Data Principles and we will continue to embed this framework to guide how we manage and use data, build products and conduct our business around the world.

We are deeply aware of our responsibility to treat data – and those it belongs to – with care and respect. Living up to this responsibility is fundamental to securing the trust Experian depends on to exist, grow and create a better tomorrow.

To do this, we protect the data we hold, use it fairly and make sure it’s as accurate as possible. We are open about the data we collect, how we use it and who we share it with. And we use data to increase financial inclusion and help people improve their financial lives.

Our five Global Data Principles embody these key values (see below). They guide how we manage and use data, build products and conduct our business around the world. We developed the principles this year to better reflect our commitments to individuals, businesses, clients and the public, which have advanced as market demands and expectations have evolved. They build on the Global Information Values that previously guided our approach. We are in the process of embedding the new principles into relevant processes throughout the business.

Security

The loss or inappropriate use of data and systems could result in material loss of business, substantial legal liability, regulatory enforcement actions and significant harm to our reputation.

Our approach

Security comes first at Experian. We continually enhance our security infrastructure, practices and culture across the business. We invest heavily in cyber security and have specialist teams, state-of-the-art technology and rigorous due diligence procedures to deal with potential threats.

Our security approach has three tiers: applying tools and processes to prevent threats from entering our environment; detecting if a threat enters our environment; and mitigating any threats by minimising the potential for information to be extracted from our environment.

We have controls in place to check for compliance and constantly scan for potential threats, with several layers of protection for our data assets (see diagram on next page). Our perimeter deflects many thousands of attempts every day.

Our Global Security Operations Centre works around the clock to identify suspicious or malicious activity, with teams in Malaysia, the UK and the USA, as well as automated tools and artificial intelligence. If they identify a threat, our incident response team steps in to eliminate it with support from in-house forensic data specialists and external experts if required.

Experian Global Data Principles

180910_experian_riverleen_02148.jpg
191006_exp_costarica_day0369668.jpg
191017_exp_costarica_day0470725.jpg

Security – Data security is critical. Securing and protecting data against unauthorised access, use, disclosure and loss are key priorities for us.

Accuracy – We will make data as accurate, complete and relevant as possible for the manner in which it is used, always in compliance with legal requirements.

Fairness – We collect and use data fairly and for legitimate purposes, balancing privacy expectations with the social and economic benefits derived from the responsible use of data for individuals, businesses and clients.

Transparency – We are open and transparent about the types of data we collect, where we get it, how it is used and where it is shared. Where appropriate we provide individuals with access to the data we collect about them and the ability to correct, restrict or delete data.

Inclusion – We seek to improve financial health and inclusion for all through the innovative use of relevant data to help individuals improve their financial lives.

We interact with law enforcement authorities and others in our industry to gather intelligence to help our security teams stay ahead of evolving cyber threats. We also share our knowledge to help other businesses and consumers keep their data safe. Our annual Data Breach Industry Forecast for 2022 highlighted five emerging threats: cyber attacks on digital assets such as cryptocurrencies; phishing attempts disguised as charities raising funds to support victims of disasters; data thieves targeting remote workers; hacking attacks on physical infrastructure, such as electricity grids and transportation networks; and online gambling scams.

Most data breaches involve some human interaction, often something as simple as clicking a link in an email. Our email and web browsing controls protect against this kind of malware, and our security training encourages people to think carefully about what they are clicking on.

We use a robust identity and access management programme to control access to our critical assets. Users with privileged accounts are subject to strict controls that include multifactor authentication, password rotation, session recording and more frequent access recertification.

Our Development, Security and Operations (DevSecOps) teams work together to build security considerations into our products throughout their lifecycle. We use a range of processes, including manual penetration testing, to discover, detect and remediate any potential security risks at every stage of product development – from concept to coding, build, quality assurance and production.

We conduct regular risk assessments and vulnerability checks, and our operations are subject to external cyber security audits every year. Simulated exercises and a global data breach plan prepare our cyber security teams and senior leaders to respond rapidly in the event of a breach.

In the event of a serious breach, we would disclose information about the incident and commit to contact any affected data subjects in a timely way. We do not publicly disclose vulnerabilities or lapses due to client sensitivities. To the extent that any relevant regulator should find fault with our data breach management and/or data security practices, they will publish their findings/sanctions. There were no such findings or sanctions in FY22.

External recognition

PwC Building Public Trust Award: We were shortlisted for PwC’s 2021 Building Public Trust Award for Cyber Security Reporting in recognition of our clear public reporting on data security.

Security governance

The Chief Information Security Officer has overall responsibility for Experian’s global security strategy and the Global Security Office (GSO) sets relevant policies and standards. The Security and Continuity Steering Committee – which includes the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer and Chief Technology Officer – oversees our approach to keeping data secure and protecting consumer information. It reviews key metrics on security tools, compliance and training completion rates every month. The Audit Committee also receives update reports at each of its meetings.

We continually review and adapt our information security programme, tools, expertise and processes to respond to evolving threats and maintain alignment with external standards. We have a comprehensive Global Security Policy and controls based on the internationally recognised ISO 27001 standard that drives continuous improvement. Our robust information security programme builds on industry-recognised procedures.

We are committed to lead the industry on information security. We seek and receive third-party assurance through ISO 27001 certifications of key business areas and systems, as well as other recognised external accreditations of our security programmes. For example, we hold a Cyber Essentials Certification and perform risk assessments against our critical and external-facing applications annually.

Security, Audit and Risk teams work together to continually improve our assurance capabilities and test the effectiveness of our controls. Our Three Lines of Defence model for risk management (see page 86) includes review by Global Internal Audit and oversight from the Board. Any potential policy breaches are thoroughly investigated and we take disciplinary action where appropriate.

The GSO conducts due diligence to identify any potential risks before an acquisition, followed by an in-depth post-acquisition security assessment that is reviewed by Global Internal Audit.

When it is necessary to provide third parties with access to our data and systems, the GSO ensures we provide access in line with our information security requirements. We extend stringent standards on information security to our suppliers and partners through the terms of our contracts. All third parties must undergo a risk assessment and any material security gaps identified must be remediated before they begin working with Experian. Existing third parties are assessed periodically and we work with them to drive continuous improvements in their security procedures. Of our more than 13,100 active third parties, around 2,100 have been identified as significant or high risk and all of these have undergone more in-depth assurance by the GSO.

Security requirements are tiered based on this risk assessment, and can include increased controls for higher-risk third parties. We monitor compliance through our third-party risk management framework and third parties identified as significant or high risk are added to the GSO’s continuous monitoring programme which alerts us to any material changes to trigger follow-up action if needed. This year, we enhanced our risk profiling and validation processes to enable an even stronger focus on higher-risk third parties through our Third Party Security programme. We also updated our Risk and Control Framework, assurance controls and accompanying tools and training for relevant teams.

Protecting our perimeter

We have a defence-in-depth approach to protecting our critical data assets, which provides multiple layers of control and protection.

Our information security culture

At Experian, information security is everyone’s responsibility. We set out clear requirements for employees and business units in our Security Risk Management and Governance Policy. We invest significant time and resources in training and awareness.

Our strong information security culture starts from the top of the business. Senior leaders are highly engaged and continually reinforce the message that security is the personal responsibility of everyone working with us.

All our employees and any contractors who have access to our systems must complete mandatory training on information security and data protection – when they first start working with us and annually thereafter. We track training completion rates weekly and provide a monthly dashboard to the Security and Continuity Steering Committee.

More than 285 training courses are available for people across the business to find out more about keeping information safe across various web, mobile and desktop platforms, applications and software. We provide additional in-depth training for people working in higher-risk roles, such as product and software development. More than 45,000 courses were in progress and/or completed this year.

We routinely refresh our training to stay up to date with evolving risks and circumstances. We also conduct regular outreach programmes on a variety of information security topics to make sure people are aware of emerging threats. These include simulations of security incidents.

Promoting vigilance against phishing attacks remains a priority. This year, we ran monthly phishing awareness campaigns and every employee and contractor underwent at least four phishing simulation exercises to test their response. Staff consistently exceeded industry benchmarks on phishing test pass rates and these metrics are reported to our Security and Continuity Steering Committee. If anyone fails a phishing test, their manager is informed and they must complete mandatory additional training.

We further reinforced security messages and procedures as the conflict in Ukraine took hold, introducing heightened scanning of emails, expanding our phishing simulation programme and alerting all employees to be wary of fake donation sites and phishing attacks.

Accuracy

Accurate credit reports enable lenders to give people fairer access to credit and essential services to improve their lives (see page 30). Any inaccuracies in credit reports – and the data they are built on – can cause problems for consumers, and potentially deny them fair access to credit and services.

We understand how important this issue is for consumers, and place accuracy at the heart of our Global Data Principles, which guide our approach wherever we operate. Data accuracy principles are also being written into the data protection regulations of many countries in which we operate.

We will make data as accurate, complete and relevant as possible for the way it is used, always in compliance with legal requirements. We constantly strive to improve the accuracy of our data in a competitive market to ensure our clients can always rely on it to make the most appropriate decisions.

We have strict processes to ensure data accuracy – from designing a new data supply and sourcing accurate data in the first place, to monitoring and improving accuracy over time, and resolving any inaccuracies or queried information reported by consumers. Our focus is on the timeliness, accuracy and completeness of the data we hold, and the reports we provide to our clients.

Sourcing accurate data

All our data comes from reputable sources and, as part of our due diligence processes before we onboard new sources of data, our quality control procedures help us identify and weed out inaccurate or out-of-date information before we add it to our databases.

We work with data providers to review and continuously improve the quality of the information we receive. To do this, we regularly review and report back on quality to our data providers so we can drive continuous improvement. We also offer a comprehensive suite of software and analytics tools to help them check data before they submit it to us.

We monitor how data providers deal with queries about data and how they remediate them to improve accuracy. If data providers are unwilling to implement improvements to meet our standards, we will no longer source data from them.

Monitoring and improving data accuracy

Once we have acquired data, we frequently update and periodically audit the information in our databases to ensure it is as current as possible. We apply further quality assurance techniques, including data-matching algorithms, before providing data to our clients. This ensures we provide clients with information that represents consumers and businesses as accurately and fairly as possible.

We also monitor queries received directly from consumers to identify trends relating to data quality, enabling us to rectify any accuracy issues quickly at source. We make it a priority to rapidly resolve any conflicts or errors that are likely to have a material impact on a consumer’s credit score.

In the UK and Ireland, we have added over 20 million net new records into our consumer bureau in the last year alone, constantly reviewing the market and working with new lenders and sectors to ensure their customers are represented appropriately within the bureau. Our UK and Ireland Data Office leads our efforts to achieve world-class data governance through a strong focus on data quality, acquisition, transparency and privacy across both our credit and marketing services businesses. As part of this approach, we continue to invest in technology to automate and monitor the way we improve our data.

In the USA, we manage the accuracy of data from around 12,000 providers. Every month, we receive around 34,000 submissions from data providers, and update around 1.3 billion records – 98% within 24 hours. We are innovating to continuously improve our data integrity and focus on targeted changes that drive even better accuracy for US consumers.

Empowering consumers to correct their data

We empower people to correct, restrict and delete data, where appropriate. We provide consumers with various methods to view their credit information and request corrections if needed. In the USA and the UK, agents in our support centres are trained to help consumers with questions, concerns or disputes about information in their credit file. Our websites in Brazil, the USA and the UK make it easy for people to raise a query about credit information and get it corrected quickly.

We pass on consumer disputes to the data provider to evaluate, resolve and supply corrected data where errors are confirmed. Each time a data provider responds to a request for verification, they must also confirm that the entire account is accurate. In the USA, if the data provider fails to respond, we either update the item as the consumer requested, or delete it. Similarly in the UK, if the data provider fails to respond within 28 days the data is temporarily suppressed on the consumer’s credit report until a response is received, Once a dispute is resolved, we update data as required and notify the consumer of the result.

Data accuracy is particularly relevant for the transgender and non-binary community with regard to name changes. Information about gender/sex, age, race, ethnicity, religion or sexual orientation is not included in credit reports or scores. However, when someone transitions, and changes their name, their credit and financial history may still be tied to their birth name (or ‘deadname’), which can unintentionally ‘out’ the consumer or force them to establish a new credit history. In the UK and the USA, we have processes that enable people who identify as transgender or non-binary to affirm their identity, update their name and suppress their deadname so it does not appear on their Experian credit report.

Many of our products also empower consumers and businesses to check for any inaccuracies in their financial profiles and take steps to protect their data, including choosing to block access to their credit report to prevent identity theft and fraud. This year, we added a lock/unlock feature to our credit score app in Brazil that enables consumers to block and unblock their credit score from any third party that tries to consult their data. Accompanying information explains how this feature can help to prevent fraud, as well as educating consumers about different kinds of frauds and the importance of protecting their credit score. US consumers can already lock and unlock their credit reports quickly and easily with the CreditLock feature, and we plan to add a similar feature in the UK in the coming year.

285+

The number of internal information security training courses available for people across the business

34,000

Every month we receive around 34,000 submissions from data providers in the USA, and update around 1.3 billion records – 98% within 24 hours

This year, we added a lock/unlock feature to our credit score app in Brazil that enables consumers to block and unblock their credit score from any third party that tries to consult their data

Fairness

We are committed to collecting and using data fairly and for legitimate purposes, and complying with regulations on data lifecycle and retention in the markets in which we operate. We carefully balance privacy expectations with the social and economic benefits derived from the responsible use of data for individuals, businesses and clients.

Our privacy policies vary in each country or region to comply with local regulatory requirements. Underlying these policies is our commitment to provide consumers with notice, choice and education about the use of personal information. Educated consumers are better equipped to be effective, successful participants in a world that increasingly relies on the exchange of information to deliver products and services efficiently.

Lenders need access to accurate information about people’s financial profiles from Experian or other credit bureaux. Such information is integral to an efficient and competitive credit ecosystem which provides innovative products that enable consumers to get the most out of their data, contributes to economic growth and supports a stable consumer banking system.

Our Marketing Services business also gathers, analyses, combines and processes data to help organisations better understand consumers so they can offer them relevant products and services, and communicate more effectively and at the right time.

We evaluate every product and service to ensure we strike the right balance between consumers’ privacy expectations and the economic benefit to both consumers and clients. Our comprehensive data protection programme details the steps we take to mitigate data protection risks, and what we expect from our employees.

We are committed to obtaining, processing, using and retaining data compliantly and responsibly. We strive to only ever share data with authorised and trusted organisations. When we do so, we follow strict guidelines and comply with all relevant laws.

We take fair and appropriate measures when it comes to data retention, adhering to national, state and federal regulations in locations where we operate. We have robust processes to appropriately manage the lifecycle of data we hold and to delete data when requested by the individual data subjects in each of our markets. We also communicate details on retention and privacy through our websites.

In many parts of the world, regulations on data privacy set clear requirements on the way data is collected and used, and how consent is gained from consumers. We regularly review our data processes to ensure compliance with regulations, such as the General Data Protection Regulation (GDPR) in the UK and European Union, the California Consumer Privacy Act (CCPA) in the USA and the Brazil General Data Protection Law (LGPD).

Data offers huge potential to support jobs and prosperity. We need a regulatory framework that nurtures and supports use of data to encourage growth, while protecting consumers’ privacy. We respond to government consultations, and engage with regulators as privacy regulations and guidance evolve. Many regional and national regulations on data privacy share common principles, and we advocate for interoperability to support global commerce.

Our Group Operating Committee and senior leaders receive regular briefings to keep them apprised of privacy developments around the world.

Transparency

We strive to be open and transparent about the types of data we collect from consumers and third parties, where we get it, how it is used and where it is shared. Where appropriate we provide individuals with access to the data we collect about them, and the ability to correct, restrict and delete data.

Data transparency not only empowers consumers, it also benefits our business. For example, our marketing services are more effective for our clients when more people understand their ability to set their marketing preferences, as this means fewer people receive unwanted marketing that they would not be receptive to.

In the UK, the privacy section of our website provides privacy policies for different parts of the business, and our Marketing Services Consumer Information Portal (MSCIP) explains data rights and sets out the various ways we use personal and anonymised data. The content on these websites is designed to be clear and easy for non-experts, and the MSCIP includes a series of engaging videos on topics such as how we obtain data and how people can benefit from sharing their data. Individuals can use the MSCIP to find out if they are on our marketing file and understand what data we hold about them, where this data comes from and how it is used. It includes a prominent feature enabling people to opt out of targeted marketing if they choose.

To add transparency around the marketing profiles we build, the MSCIP allows consumers to view our Mosaic classification for any valid UK postcode. Through this feature, consumers can get a flavour of how marketers may view them, or people with similar profiles, when using our Mosaic segmentation to improve the relevance of their marketing messages. The results use simple icons to show key attributes such as property, transport, lifestyle and holidays in a way that’s easy to understand at a glance. Through a survey of nationally representative adults, 92% out of 378 respondents indicated the information on our ‘how we use your data’ page was easy to understand.

In Brazil, our privacy terms page is designed to be user-friendly, translating the consumer contract into simple, accessible language and layout before the user logs in. We also provide consumers with illustrations of what their positive data means, to help them understand how it affects their overall financial health.

In the USA, we set out our privacy policies for specific products and services on the privacy section of our website. Consumers can access the credit information that Experian holds on them by signing up for a free or paid membership through the Reports and Scores section of our website. They will then be presented with a report showing the data Experian holds on them and how to dispute this information online if necessary. Experian has applied the Californian privacy law broadly so all US residents can also manage their personal data permissions through the CP3A portal. Our credit reports in North America also include a Credit Report Insights section, introduced last year, that features infographics, colour-coding and easy-to-interpret explanations of the factors that may be helping or hurting a consumer’s credit status and score.

We work with financial institutions to enhance transparency with consumers. In the UK, when a consumer applies for credit, the lender will direct them to an industry-standard information notice – the Credit Agency Information Notice (CRAIN) – which presents clear and consistent information explaining how credit reference agencies use and share personal information. As with the MSCIP, the CRAIN is drafted in a way that is designed to make it accessible to consumers by using clear and intelligible language, divided into easy-to-access sections.

In the USA, financial institutions provide adverse action notices when an applicant is denied credit or employment based on information included on their consumer credit report. This notice includes a brief description of the data used for the decision and a contact for the credit reference agencies that provided the data.

Inclusion

We enhance financial inclusion by using data to create insights that help lenders offer fairer access to credit to more people. Our aim is to help more people get better access to credit by sharing relevant data with lending organisations. We look to source additional and alternative sources of data, for example in our RentBureau, our Buy Now Pay Later Bureau and in our Lift Premium score. We also enable individuals to directly contribute data to help improve their financial lives through products such as Experian Boost and, as outlined on the next page, Experian Go.

Read our Improving Financial Health report for more on our use of data to improve financial inclusion and financial health.

Building your own credit report? That’s life-changing

40,000

people have used Experian Go to create their credit report2

28 million

people are credit invisible in the USA3

c.70%

of 18-24 year olds in the USA have difficulty establishing credit4

How do people with no credit history obtain credit? It’s a classic chicken and egg scenario. Without an existing credit report, credit is hard to come by. Likewise, without credit, it can take time to establish and build a credit profile, and get access to the things you need. Some lenders may struggle to verify a consumer’s identity and consumers are unable to access credit at fair and affordable rates.

Without help these consumers remain invisible to mainstream financial services. In the USA alone there are 28 million3 people who are ‘credit invisible’. Often, they are caught in cycles of predatory lending, they can’t cover emergency expenses and face limited housing options. They may pay higher insurance premiums and interest rates, have employment challenges and require larger deposits.

To help people overcome these barriers in the USA we created Experian Go. It’s the first programme of its kind, helping people create their credit profile in just minutes and before applying for credit.

Experian Go simply uses a person’s government-issued ID, Social Security number and a ‘selfie’ to authenticate them. From there, personalised recommendations help users add accounts, also known as tradelines, to their Experian credit report.

Users may receive information about becoming an authorised user or be invited to apply for a credit card designed specifically for those new to credit. Payment history from utility, phone, and streaming services can then be added to potentially boost their credit score using Experian Boost. This helps some consumers go from invisible to scorable in just one session.

What’s important is that once their Experian credit report is established, they can start building and growing their credit. They can access credit cards, car and personal loans, in many cases at much lower interest rates.

Experian Go is life-changing. It helps overcome the barrier to inclusion in the financial system. It unlocks financial success for people by opening up new financial opportunities and helping them potentially save money when they take out credit. Finally, they can start their credit and financial journey on their own terms.

Visual graphic of quotation mark

I feel empowered, it gives me peace of mind. I couldn’t get an apartment or a loan when I didn’t have a good credit score. I felt shameful, I couldn’t do anything... But being able to open up the app, I feel better. That’s how I feel empowered…. It’s a whole new world opening up for me, with good tools to help.1

Skyler, aged 37

Visual graphic of quotation mark

1 Source: AnswerLab study, Experian Go Customer Interviews, December 2021.

2 From launch in October 2021 to 31 March 2022.

3 Source: From Experian and Oliver Wyman whitepaper ‘Financial inclusion and access to credit’, released January 2022.

4 Source: Experian.

Downloads

Annual Report 2022 (Full PDF)
PDF (9,69 MB) Download Prototype interactive filing 2022 (UKSEF)
ZIP (19,20 MB) Download
TOP