GBG’s approach to privacy & data compliance.
As a business built on data, we can't afford to get this wrong - so are committed to ensuring we do the right thing for GBG, our customers, the third parties we work with and individuals.
We know that complete GDPR compliance for GBG can only be maintained through a collaborative and transparent approach with our suppliers and customers. With over 17,000 customers across all sectors and operating in 79 countries, accessing data on 4.4 billion identities for a range of purposes, we're sure you can appreciate the complexities involved.
Our GDPR plan
We developed our GDPR plan in November 2016 based on an industry framework (Nymity), which was shared at PDP’s UK Data Protection Conference (October 2016) and IAPP Europe Data Protection Congress in Brussels (November 2016). This framework covers over 130 privacy management activities, categorised into 13 key areas:
- Governance Structure
- Data Inventory
- Data Privacy Policies
- Embed Data Privacy into Operations
- Training & Awareness Program
- Information Security Risk
- Manage Third Party Risk
- Maintain Notices
- Consumer Queries/Complaints
- Monitor Operational Practices
- Maintain Data Privacy Breach Management Program
- Monitor Data Handling Practices
- Track External Criteria
Building strong foundations was key to the ongoing management of our privacy program.
This framework is used as a baseline for meeting privacy requirements globally, tweaking our approach in country, where required.
Governance Structure and GBG’s Data Protection Officer
Data privacy is discussed throughout GBG with regular presentations to the Board of Directors and Executive Team.
GBG’s named Data Protection Officer is Kate Lewis.
Kate leads the Privacy and Data Compliance Team, where each Compliance Manager has a core focus on the products GBG deliver, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems, processes and countries.
Embedding Data Privacy into Operations – Training, Awareness & PIAs
In January 2017 we launched an internal initiative called be/compliant. This ongoing program has 4 key principles to ensure our team members do the right thing:
- We’ll ensure we know what we can do with data, and if unsure, we’ll ask
- We’ll be clear about how we’re going to use data
- We’ll ensure we protect the data we hold/process
- We’ll ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all team members globally. New Team Members complete the mandatory training when they join GBG and then everyone, regardless of role or seniority, must complete this annually. If there is a specific update or training which needs to be shared, this is done at the point in time.
Despite largely being a Processor, GBG made the decision to complete Privacy Impact Assessments (PIAs) for all products/services GBG offer to our customers. These are maintained as part of our ongoing program. Where GBG operate as a Data Controller, we also conduct a Privacy Impact Assessment to ensure appropriate controls are in place and we meet our compliance obligations.
Information Security Risk
GBG is ISO27001 accredited, with some areas of our business also covered by PCI:DSS.
The Information Security Team are focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure. Once a contract has been signed, this is also reviewed on an ongoing basis.
Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, and periodic testing.
We have over 200 data partners globally, who need to comply with applicable data protection regulations. Depending on where the data partners is in the world, and what data they process, GDPR compliance may not be relevant but compliance with applicable legislation is.
Each party in the chain has an obligation to ensure the third parties they each work with measure up, which is something we’re committed to here at GBG.
Responding to individual complaints and data subject rights
We already have a very robust process for dealing with consumer queries and data subject rights, but we continually review for improvement.
Our consumer query process is also used to monitor our customers, our data partners and our products/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.
Data Privacy Breach Management Program
We have an effective data privacy incident and breach management plan, which we'll continue to review and enhance as required.
Monitoring covers many areas at GBG.
Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We're regularly audited by external third parties – our customers, our data partners and external bodies, such as IESB when reviewing our ISO27001 status or PCI:DSS compliance.
We're a member of IAPP, International Association of Privacy Professionals and also subscribe to DataGuidance, an online platform which allows you to conduct privacy research efficiently and accurately, whilst also monitoring for international data protection development.
We also attend many conferences, webinars and are part of a compliance think tank with a number of businesses in the data industry.
GBG’s Role: Data Processor
GBG does not believe ourselves to be the Data Controller for some products we offer because we do not determine the purposes for which, or the manner in which, personal data is processed. This is done by 2 parties: GBG’s Data Partner and GBG’s Customer.
GBG does not have any overall control over the ‘why’ and the ‘how’ of a data processing activity. GBG operates under the instructions of our Data Partner/Customer. GBG’s Data Partner determines the purpose of processing in relation to the data they collect.
The collection of the personal data at the point of capture and the legal basis for doing so is done by our Data Partner/Customer.
GBG’s Data Partner and Customer decide which items of personal data to collect, i.e. the content of the data. They both define the purpose or purposes the data are to be used for. GBG has no power to influence the collection of personal data or the purpose of any subsequent processing.
GBG’s Data Partner/Customer decide which individuals to collect data about and whether to disclose the data, and if so, who to. They decide on the information contained within the Fair Processing Notice that is provided to the individual.
If GBG receive a subject access request, this is passed to the Data Controller (Data Partner or Customer) as we do not have full visibility at an individual level of the evidence in relation to data collection.
GBG’s Data Partner/Customer dictate how long GBG can retain the data for or whether to make non-routine amendments to the data. This varies by Data Partner/Customer and we respond to their specific requests for deletion/updates.
GBG does not change or update the data in any way. Theoretically, if GBG were to make changes to an individual’s record, and the Data Partner did not (or did something different), GBG’s update would be “overwritten” in the data file provided by the Data Partner (as part of their update process).
As a PLC and a business built on data, we can't afford to get this wrong. The reputational risk far exceeds any fine. That's why we're committed to ensuring we do the right thing, for us, our customers, the third parties we work with and individuals.