This information relates to the announcement of GBG’s move to become a Data Controller and is intended to provide our data partners with further information. If you have a question that is not covered here, please get in touch via your Data Manager.

GBG's core business relies on the creation, development and marketing of our products which use personal data sourced from third-party suppliers. Because of the increasingly sophisticated nature of the products we supply to our end customers, GBG determines the purposes and means of the processing of personal data that we receive from our third-party suppliers.

The data industry within which GBG operates is changing with greater focus on protecting consumers data, following the release of the Draft Code of Conduct on Data Sharing in 2019 by the UK Data Protection Regulator (the ICO). Moving from a Data Processor to becoming a Data Controller means GBG can offer its customers, suppliers, and ultimately consumers, greater confidence in the management, storage and protection of their data.


We are asking all data partners to sign updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party.

The initial focus of our changes is to update our agreements with our data partners. After this we will begin the process of updating existing customer agreements in parallel with updating our product roadmaps. Each party affected will be communicated with directly in good time.

GBG considers itself and our data partners each as separate and independent Controllers.

The contract between the parties will set out the roles and responsibilities in relation to responses to subject access requests.

A Data Controller is an entity which, alone or jointly with others determines the purposes and means of the processing of personal data.

A Data Processor is an entity which processes personal data on behalf of the data controller. Previously GBG considered itself a Data Processor acting on behalf of its customers and suppliers who are Data Controllers.

The Information Commissioner’s Office, ICO, is the UK’s independent data protection regulatory authority set up to uphold information rights in the public interest. You can find out about the ICO by clicking

GDPR stands for the General Data Protection Regulation (EU) 2016/679 and is Europe’s framework for data protection laws. It is applicable to processing carried out by organisations operating within the EU and it also applies to organisations outside the EU that offer goods or services to individuals in the EU or that monitor the behaviour of individuals within the EU. GDPR was incorporated into UK Law as a result of the Data Protection Act 2018, therefore the UK will retain GDPR after it leaves the EU at the end of 2020.

.red { fill: #b0013a; }