When GDPR Meets CRAs (Credit Reference Agencies): Looking through the Lens of Twitter

Creative Commons License

Aydin K., Saglam R. B. , Li S., Bulbul A.

13th International Conference on Security of Information and Networks, SIN 2020, Virtual, Online, Turkey, 4 - 06 November 2020 identifier

  • Publication Type: Conference Paper / Full Text
  • Volume:
  • Doi Number: 10.1145/3433174.3433586
  • City: Virtual, Online
  • Country: Turkey


© 2020 ACM.Collecting information about consumers and businesses from various sources, Credit reference agencies (CRAs) help many organizations such as financial institutions to assess creditworthiness of applicants and customers of their services. CRAs' business model depends on processing a high volume of personal data including highly sensitive ones, which must be processed within the relevant legal frameworks in different countries they operate their business, e.g., the European Union's new GDPR (General Data Protection Regulation). This paper reports a data-driven analysis of CRA- and GDPR-related discussions on Twitter. Our analysis covers the three largest multi-national CRAs: Equifax, Experian and TransUnion and we also looked at the UK's data protection authority, ICO, and two UK-based privacy-advocating NGOs, Privacy International and Open Rights Group (ORG). We have analyzed public tweets of their official Twitter accounts and other public tweets talking about them. Our analysis revealed a very surprising lack of awareness of CRA- and GDPR-related data privacy issues within the general public and an astonishing lack of active communications of CRAs to the general public on relevant GDPR-related privacy issues: out of 39,549 collected tweets we identified only 153 relevant tweets (0.387%). This small number of tweets are dominated by mentions of security issues (%73.2), especially data breaches affecting CRAs, not data subject rights or privacy issues directly. Other tweets are mainly about complaints regarding inaccurate data in credit files and questions about how to exercise right to rectification, just two of many data subject rights defined in the GDPR.