Getting ready for GDPR
With the European Union’s General Data Protection Regulation (GDPR) just around the corner, how is GBG preparing for its introduction, and how are we planning to balance compliance with commerciality?
Two people in the know, GBG’s Head of Data Strategy Gus Tomlinson, and Head of Privacy and Data Compliance Kate Lewis, share their thoughts.
Gus has worked sourcing global data for 4 years, and has extensive knowledge of global regulations and market trends. GBG products require data as fuel, and although Gus believes this will remain, she expects to see a shift in focus in the types of data and ways in which we consume it to change.
With over 10 years working in the identity space, Kate has a passion for privacy, which has grown in the last 4 years whilst following GDPR developments. Kate believes the key to success is awareness and accountability, therefore has established be/compliant part of the GBG brand, which underpins all activities to ensure compliance.
How GBG approaches GDPR
As an organisation that relies on the availability of personal data in its solutions, how does GBG ensure that the data we use is appropriate and fully consented?
Gus: Sourcing begins with the basics: does the data exist? Can we access it compliantly? How can we use it to serve different customers in the best way?
Compliance and security questionnaires then give us total transparency of the types of data we access. Suppliers have to show that the data is sourced compliantly, with the correct consents and that it can be used within GBG products.
Even after sourcing the data, consent is an integral part of our identity verification solutions. As they go through a process powered by our technology, consumers themselves also give GBG permission to verify that what they have shared is accurate and authentic.
Kate: It’s worth noting that consent is only one of the conditions for processing. There are other conditions we could rely on. These include legitimate interest, performance of a contract, compliance with a legal obligation, necessity to protect vital interests or the performance of a task carried out in the public interest. We’ll reflect this in our data sourcing, where appropriate.
New data sources
What new data sources are you seeing a demand for?
Gus: Data that demonstrates activity as well as verifies an identity, qualifies a marketing lead or cleans a database. Businesses want added insight on what they already know – whether to stop fraudsters, protect vulnerable individuals or get the most from their customer relationships.
Mobile, lifestyle and biometric data add huge value to traditional sources. In developing markets, mobile coverage far exceeds credit footprints. This means non-traditional data sources are more valuable in the first place. Social media and behavioural data are also in huge demand as this can bridge the gap between someone’s online and offline identity.
How GBG is preparing
How are we preparing from a privacy and compliance perspective?
Kate: Our established, dedicated team has a very detailed plan and is continuing to make great progress.
Accountability, training and awareness are key to our success. We’ve also introduced a network of Data Guardians – team members in each GBG office who are trained to identify and mitigate risks before they become an issue.
How you can prepare
What are the five things you would advise clients to do to ensure readiness?
1. Know your data. What data do you have in the business? Where does it come from? How is it used? This is the most important point of all; it’s something that can affect all parts of your business.
2. Set your conditions for processing. Have this clearly identified and documented for anywhere you process personal data. Many companies have relied on consent in the past, but if you can rely on another condition you should, as consent can be withdrawn at any time. Always be clear about how you can defend your use.
3. Review your privacy policy. What are you telling individuals about how you’re using their information? Transparency is key.
4. Re-permission your database, or update any details necessary. Start this process early, but be careful that you don’t breach one set of regulations trying to comply with another.
5. Decide what data you can retain, and what data you should securely remove. It’s already law that businesses shouldn’t collect and retain more information than is necessary, but the stakes will increase next year with fines of up to 4% of global turnover.
Taking control
How can consumers ensure they’re taking more control?
Kate: Remember that you don’t have to disclose your details just because someone has asked for them. Ask to see their privacy policy. How will they use your data? While shopping recently, I declined to share my email address for a digital receipt. I was told I’d have to provide it in the future as it would be more economical – a good example of processing data unnecessarily. If I’m happy with a paper receipt, I don’t need to provide my email address.
Sign up for more expert insight
Hear from us when we launch new research, guides and reports.