Skip to main content

When GDPR Meets CRAs (Credit Reference Agencies): Looking through the Lens of Twitter

Aydın, Kübra, Sağlam, Rahime Belen, Li, Shujun, Bülbül, Abdullah (2020) When GDPR Meets CRAs (Credit Reference Agencies): Looking through the Lens of Twitter. In: Proceedings of the 13th International Conference on Security of Information and Networks. . 16:1-16:8. ACM ISBN 978-1-4503-8751-4. (doi:10.1145/3433174.3433586) (KAR id:89476)

PDF Author's Accepted Manuscript
Language: English

Download (567kB) Preview
[thumbnail of SINCONF2020a.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL:


Collecting information about consumers and businesses from various sources, Credit reference agencies (CRAs) help many organizations such as financial institutions to assess creditworthiness of applicants and customers of their services. CRAs’ business model depends on processing a high volume of personal data including highly sensitive ones, which must be processed within the relevant legal frameworks in different countries they operate their business, e.g., the European Union’s new GDPR (General Data Protection Regulation). This paper reports a data-driven analysis of CRA- and GDPR-related discussions on Twitter. Our analysis covers the three largest multi-national CRAs: Equifax, Experian and TransUnion and we also looked at the UK’s data protection authority, ICO, and two UK-based privacy-advocating NGOs, Privacy International and Open Rights Group (ORG). We have analyzed public tweets of their official Twitter accounts and other public tweets talking about them. Our analysis revealed a very surprising lack of awareness of CRA- and GDPR-related data privacy issues within the general public and an astonishing lack of active communications of CRAs to the general public on relevant GDPR-related privacy issues: out of 39,549 collected tweets we identified only 153 relevant tweets (0.387%). This small number of tweets are dominated by mentions of security issues (%73.2), especially data breaches affecting CRAs, not data subject rights or privacy issues directly. Other tweets are mainly about complaints regarding inaccurate data in credit files and questions about how to exercise right to rectification, just two of many data subject rights defined in the GDPR.

Item Type: Conference or workshop item (Paper)
DOI/Identification number: 10.1145/3433174.3433586
Uncontrolled keywords: credit reference agencies, general data protection regulation, GDPR, online social networks, social media, twitter, data protection, law, privacy, transparency, communication
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105 Data transmission systems > TK5105.5 Computer networks > TK5105.875.I57 Internet
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105.888 World Wide Web
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Depositing User: Shujun Li
Date Deposited: 27 Jul 2021 16:18 UTC
Last Modified: 14 Nov 2022 23:12 UTC
Resource URI: (The current URI for this page, for reference purposes)
Sağlam, Rahime Belen:
Li, Shujun:
  • Depositors only (login required):


Downloads per month over past year