This information relates to the announcement of GBG’s move to become a Data Controller and is intended to provide our customers with further information. If you have a question that is not covered here, please get in touch via your Customer Success Manager.
At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so they can transact quickly, safely and securely with their customers online.
We are proud to operate to the highest standards, both meeting our obligations under the GDPR to our customers and data subjects whilst also delivering the innovative solutions our customers expect.
We are continually assessing and evolving our products and as such GBG is pleased to confirm that we will become a Data Controller for some of the products and services we provide to you, moving forwards. This is a standard that other data businesses may not yet be adhering to, but we are setting a standard that regulators around the world are coming to expect.
Becoming a Controller means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.
In the GDPR and other privacy regulations a Data Controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.
A Data Processor simply processes data that the Data Controller provides to them under specific contractual obligations.
We are asking all customers and suppliers to sign updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party.
Becoming a data controller, means that GBG is taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.
This change is occurring now. Our initial focus has been to update our agreements with our data suppliers. We have also made changes to our products to align with our position as a Data Controller. We are now beginning the process of updating our existing customer agreements in a phased approach.
The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation to responses to subject access requests. You as GBG’s customer will be an independent Data Controller and will continue to have the same responsibility to data subjects as you do today. GBG will continue to support you were needed. Going forward, GBG will also act an independent Data Controller. This means that GBG also needs to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with. GBG has therefore created and will hold a GBG Audit Trail for a period of 12 months. This is in addition to your own Audit Trail, which you control. The GBG Audit Trail will be retained so GBG can respond to an individual who is exercising their data subject rights with us.
GBG has invested significantly in our Privacy and Data Compliance team, which now has over 18 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future. We also need to understand how and why our customers use our products and services and will therefore be capturing a Customer Use Case. As a Controller, GBG has an obligation to our customers, partners and data subjects to make sure that the use of our products is in line with the GDPR and to achieve this we need to understand how and why those products are used.
In order to meet our Controller obligations, GBG requires visibility of what personal data is processed, when, how and who this has been shared with. To achieve this, we have created a GBG Audit Trail in which we hold evidence of each transaction for 12 months. Retention of this data is necessary to enable GBG to respond when an individual wishes to exercise a data subject right. GBG’s Audit Trail is independent of the one, you as GBG’s Customer can control. There have been no changes to your Audit Trail, which you can continue to manage as you see fit, as a separate Independent Controller to GBG.
The Information Commissioner’s Office, ICO, is the UK’s independent data protection regulatory authority set up to uphold information rights in the public interest. You can find out about the ICO by clicking ico.org.uk
GBG’s Customer has a requirement to verify the identity of an individual for fraud prevention and detection purposes, such as, but not limited to, verification when purchasing or hire of goods and services, and protection of ID fraud.
GBG’s Customer has a requirement to verify the identity of an individual for regulatory purposes, such as, but not limited to, Anti-Money Laundering and Age Verification.
GDPR sets out six ‘lawful bases’ for processing personal data. At least one of these must apply in order for data to be processed lawfully.
The individual has given clear consent for you to process their personal data for a specific purpose.
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The processing is necessary for you to comply with the law (not including contractual obligations).
The processing is necessary to protect someone’s life.
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).