Treating data with respect

We are entrusted with data on 1.3 billion people and 166 million businesses worldwide. Treating that data with respect is essential to maintain trust.

Data is the lifeblood of our business. So ensuring we collect, store and manage data safely and appropriately is fundamental to our ongoing success. It’s important our clients and customers know we take our responsibilities very seriously when it comes to managing data securely, ensuring privacy measures are managed effectively, the data we hold is accurate and we are open and transparent about the data we hold and the way it is processed.

Security - safeguarding data

Accuracy - improving data

Privacy - protecting data

Transparency - making data accessible

Data Security – safeguarding data

We hold vast amounts of data on people and businesses. The loss or inappropriate use of data and systems could result in material loss of business, substantial legal liability, regulatory enforcement actions and significant harm to our reputation

Our approach

We continually enhance our security infrastructure, practices and culture across the business through our SecurityFirst programme. We invest heavily in cyber security and have specialist teams, state-of-the-art technology and rigorous due diligence procedures to deal with potential threats.

Our security approach has three tiers: applying tools and processes to prevent threats from entering our environment; detecting if a threat enters our environment; and mitigating any threats by minimising the potential for information to be extracted from our environment.

We have controls in place to check for compliance and constantly scan for potential threats, with several layers of protection for our data assets (see diagram below). Our perimeter deflects tens of thousands of attempts every day.

Protecting our perimeter

We have a defence-in-depth approach to protecting our critical data assets, which provides multiple layers of control and protection.

 

Our Global Security Operations Centre works around the clock to identify suspicious or malicious activity, with teams in Malaysia, the UK and the USA, as well as automated tools and AI. If they identify a threat, our incident response team steps in to eliminate it with support from in-house forensic data specialists and external experts if required.

We gather intelligence to help our security teams stay ahead of evolving cyber threats. This year, we expanded our interaction with law enforcement authorities and others in our industry to help give each other early warnings of high-potential cyber security threats. We also share our knowledge to help other businesses and consumers keep their data safe. Our annual Data Breach Industry Forecast for 2021 highlighted areas that have become increasingly vulnerable to cyber attack in the COVID-19 era. Predicted threats include vaccination misinformation and disruption, hackers holding home devices for ransom, and exploitation of ‘track and trace’ apps to gain access to personal user information.

In 2020/21, COVID-19 led to almost our entire workforce moving to homeworking and we took steps to provide employees with secure remote connections to our systems. Most data breaches involve some human interaction, often something as simple as clicking a link in an email. Our email and web browsing controls protect against this kind of malware, and our security training also encourages people to think carefully about what they are clicking on.

Our Development, Security and Operations (DevSecOps) teams work together to build security considerations into our products throughout their lifecycle, from start to finish. We use a range of processes, including manual penetration testing, to discover, detect and remediate any potential security risks at every stage of product development – from concept to coding, build, quality assurance and production.

We conduct regular risk assessments and vulnerability checks, and our operations are subject to external cyber security audits every year. Simulated exercises and a global data breach plan prepare our cyber security teams and senior leaders to respond rapidly in the event of a breach.

 

Security governance

The Chief Information Security Officer has overall responsibility for Experian’s global security strategy and the Global Security Office (GSO) sets relevant policies and standards. The Security and Continuity Steering Committee – which includes the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer and Chief Information Officer – oversees our approach to keeping data secure and protecting consumer information. It reviews key metrics on security tools, compliance and training completion rates every month. The Audit Committee also receives progress reports at each of its meetings.

We have a comprehensive Global Security Policy and controls based on the internationally recognised ISO 27001 standard. Our robust information security programme builds on industry-recognised procedures, including the US National Institute of Standards and Technology (NIST) framework. We seek and receive third-party assurance through ISO 27001 certifications of key business areas and systems, as well as other recognised external accreditations of our security programmes. For example, we hold a Cyber Essentials Certification and perform risk assessments against our critical and external-facing applications annually.

Security, Audit and Risk teams work together to continually improve our assurance capabilities and test the effectiveness of our controls. Our Three Lines of Defence model for risk management includes review by Global Internal Audit and oversight from the Board. Any potential policy breaches are thoroughly investigated and we take disciplinary action where appropriate.

The GSO conducts due diligence to identify any potential risks before an acquisition, followed by an in-depth post-acquisition security assessment that is reviewed by Global Internal Audit.

When it is necessary to provide third parties with access to our data and systems, the GSO ensures we provide access in line with our information security requirements. We extend stringent standards on information security to our suppliers and partners through the terms of our contracts. All third parties are risk assessed. Of our nearly 13,000 active third parties, 1,674 have been identified as significant or high risk and all of these have undergone more in-depth assurance by the GSO.

Security requirements are tiered based on this risk assessment, and can include increased controls for higher-risk third parties. We monitor compliance through our third-party risk management framework and third parties identified as significant or high risk are added to the GSO's continuous monitoring programme which alerts us to any material changes to trigger follow-up action if needed.

 

Our information security culture

At Experian, information security is everyone’s responsibility. We set out clear requirements for employees and business units in our Security Risk Management and Governance Policy. We invest significant time and resources in training and awareness on information security through our SecurityFirst programme.

Our strong information security culture starts from the top of the business. Senior leaders are highly engaged and continually reinforce the message that security is the personal responsibility of everyone working with us

All our employees and any contractors who have access to our systems must complete mandatory annual training on information security and data protection. We track training completion rates weekly and provide a monthly dashboard to the Security and Continuity Steering Committee.

More than 250 training courses are available for people across the business to find out more about keeping information safe across various web, mobile and desktop platforms, applications and software. We provide additional in-depth training for people working in higher-risk roles, such as product and software development.

We continually refresh our training to stay up to date with evolving risks and circumstances. This year, we focused on risks associated with working from home and made sure employees understood how to secure their home network, for example by using filtering software and strong passwords. We adapted our regular awareness campaigns to continue providing employees with frequent updates on important topics, such as email protection and phishing.


Accuracy – Improving data

Accurate credit reports enable lenders to give people fairer access to credit and essential services to improve their lives. Any inaccuracies in credit reports – and the data they are built on – can cause problems for consumers, and potentially deny them fair access to credit and services.

We understand how important this issue is for consumers, and place accuracy at the heart of our Global Information Values, which guide our approach wherever we operate. We constantly strive to improve the accuracy of our data in a competitive market to ensure our clients can always rely on it to make the most appropriate decisions.

We have strict processes to ensure data accuracy – all the way through from designing a new data supply and sourcing accurate data in the first place to monitoring and improving accuracy over time, and resolving any inaccuracies or queried information. Our focus is on timeliness, accuracy and completeness of the data we hold, and the reports we provide to our clients.

 

Sourcing accurate data

All our data comes from reputable sources and our quality control procedures help us identify and weed out inaccurate or out-of-date information before we add it to our databases. We work with data providers to review and continuously improve the quality of the information we receive. To do this, we regularly review and report back on quality to our data providers, and we offer a comprehensive suite of software and analytics tools to help them check data before they submit it to us.

We monitor how data providers deal with queries about data and how they remediate them to improve accuracy. If data providers are unwilling to implement improvements to meet our standards, we will no longer source data from them.

 

Monitoring and improving data accuracy

Once we have acquired data, we frequently update and periodically audit the information in our databases to ensure it is as current as possible. We also apply further quality assurance techniques, including data-matching algorithms, before providing data to our clients. This ensures we provide clients with information that represents consumers and businesses as accurately and fairly as possible.

In North America, the team that manages the accuracy of data from around 12,000 providers makes it a priority to rapidly resolve any conflicts or errors that are likely to have a material impact on a consumer’s credit score. Every month, we receive around 32,000 submissions from data providers, and update around 1.4 billion records – 98% within 24 hours. Through continuous improvement efforts, we have raised the accuracy rates of credit reports delivered to 99.9% in recent years.

In the UK and Ireland, we have added over 20 million new records in the last year alone, constantly reviewing the market and working with new lenders and sectors to ensure their customers are represented appropriately within the bureau. Our UK and Ireland Data Office leads our efforts to achieve world-class data governance through a strong focus on data quality, acquisition, transparency and privacy.

 

Empowering consumers to correct their data

Our platforms enable us to continually monitor and measure data accuracy. We also have processes for consumers to review their own data, raise a query and have corrections made if needed.

Our dispute centre in the USA and our website in the UK make it easy for people to raise a query about credit information and get it corrected quickly. Many of our products also empower consumers and businesses to protect their data and check for any inaccuracies in their financial profiles. In Brazil, we have seen a substantial increase in consumer requests for corrections to their data since new regulations enabled the inclusion of positive data in credit reports. We pass on these requests to the data provider to evaluate, resolve and supply corrected data where errors are confirmed.

 

Privacy – Protecting data

Data privacy is becoming an increasingly hot topic as people are living more of their lives online, a trend that has been further accelerated by COVID-19 lockdowns and restrictions this year. Our Group Operating Committee and senior leaders receive regular briefings to keep them apprised of privacy developments around the world.

We provide services based on information about millions of individuals and businesses. As a steward of the data we collect and use, we have a responsibility not only to ensure the security of that data, but to maintain the privacy of consumers through appropriate and responsible use. We believe use of data must benefit both businesses and individuals, while meeting consumer expectations related to privacy.

Our privacy policies vary in each country or region to comply with local regulatory requirements. Underlying these policies is our commitment to provide consumers with notice, choice and education about the use of personal information. Educated consumers are better equipped to be effective, successful participants in a world that increasingly relies on the exchange of information to deliver products and services efficiently.

Lenders need access to accurate information about people’s financial profiles from Experian or other credit bureaux. Such information is integral to an efficient and competitive credit ecosystem which provides innovative products that enable consumers to get the most out of their data, contributes to economic growth and supports a stable consumer banking system.

Our Marketing Services business also gathers, analyses, combines and processes data to help organisations better understand consumers so they can offer them relevant products and services, and communicate more effectively and at the right time.

We evaluate every product and service to ensure we strike the right balance between consumers’ privacy expectations and the economic benefit to both consumers and clients. This commitment to balance is one of our Global Information Values that define how data must be secured, managed and used. Our comprehensive data protection programme details the steps we take to mitigate data protection risks, and what we expect from our employees.

We are committed to obtaining, processing and using data compliantly and responsibly. We only ever share data with authorised and trusted organisations. When we do so, we follow strict guidelines and comply with all relevant laws.

Regulations on data privacy – the way data is collected and used, and how consent is gained from consumers – are tightening around the world. We respond to government consultations and engage with regulators as privacy regulations and guidance evolve. Data offers huge potential to support jobs and prosperity. We need a regulatory framework that nurtures and supports use of data to encourage growth, while protecting consumers’ privacy.

Many regional and national regulations on data privacy share common principles, and we advocate for interoperability to support global commerce. We have updated our data processes to ensure compliance with regulations, such as the EU General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in the USA and the Brazil General Data Protection Law (LGPD).

 

Transparency – Making data accessible

We strive to be transparent about the information we collect from consumers and third parties, and how that data is used and shared.

In the UK, the privacy section of our website provides privacy policies for different parts of the business, and our Marketing Services Consumer Information Portal (MSCIP) explains data rights and sets out the various ways we use personal and anonymised data. The content on these websites is designed to be clear and easy for non-experts, and the MSCIP includes a series of engaging videos on topics such as how we obtain data and how people can benefit from sharing their data.

Individuals can use the MSCIP to find out if they are on our marketing file and understand what data we hold about them, where this data comes from and how it is used. It includes a prominent feature enabling people to opt out of targeted marketing if they choose.

To add transparency around the marketing profiles we build, the MSCIP allows consumers to view our Mosaic classification for any valid UK postcode. Through this feature, consumers can get a flavour of how marketers may view them, or people like them, when using our Mosaic segmentation to improve the relevance of their marketing messages. The results use simple icons to show key attributes such as property, transport, lifestyle and holidays in a way that’s easy to understand at a glance.

In Brazil, our privacy terms page has been developed to be more user-friendly, by translating the consumer contract into simple and accessible language and layout before the user logs in. We also provide consumers with illustrations of what their positive data means, based on their credit card information, with plans to extend to other financial products in the year ahead. The aim is to give our customers more comprehensible data, to help them understand how that impacts their financial health as a whole.

In the USA, we set out our privacy policies for specific products and services on the privacy section of our website. Consumers can access the information that Experian holds on them by signing up for a free or paid membership through the Reports and Scores section of our website. They will then be presented with a report showing the data Experian holds on them and how to dispute this information online if necessary. Californian residents can also manage their personal data permissions through the CP3A portal.

Our newly designed credit reports in North America include a new Credit Report Insights section that features infographics, colour-coding and easy-to-interpret explanations of the factors that may be helping or hurting a consumer’s credit status and score.

We also work with financial institutions to enhance transparency with consumers. In the UK, when a consumer applies for credit, the lender will direct them to an industry standard information notice which presents clear and consistent information explaining how credit reference agencies use and share personal information. In the USA, financial institutions provide adverse action notices when an applicant is denied credit or employment based on information included on their consumer credit report. This notice includes a brief description of the data used for the decision and a contact for the credit reference agencies that provided the data.