GBG is becoming a data controller

Why is GBG becoming a data controller?

This information relates to the announcement of GBG’s move to become a data controller and is intended to provide our customers with further information. If you have a question that is not covered here, please get in touch via your Customer Success Manager.

At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so they can transact quickly, safely and securely with their customers online.   

We are proud to operate to the highest standards, both meeting our obligations under the GDPR to our customers and data subjects whilst also delivering the innovative solutions our customers expect.  

We are continually assessing and evolving our products and as such GBG is pleased to confirm that we will become a data controller for some of the products and services we provide to you, moving forwards. This is a standard that other data businesses may not yet be adhering to, but we are setting a standard that regulators around the world are coming to expect.  

Becoming a controller means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.

In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.

A data processor simply processes data that the data controller provides to them under specific contractual obligations.

We are asking all customers and suppliers to sign updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party.

Becoming a data controller, means that GBG is taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.

This change is occurring now. Our initial focus has been to update our agreements with our data suppliers.  We have also made changes to our products to align with our position as a data controller. We are now beginning the process of updating our existing customer agreements in a phased approach.

The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation to responses to subject access requests. You as GBG’s customer will be an independent data controller and will continue to have the same responsibility to data subjects as you do today.  GBG will continue to support you were needed. Going forward, GBG will also act an independent data controller. This means that GBG also needs to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with.

GBG has invested significantly in our Privacy and Data Compliance team, which now has over 18 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future.   We also need to understand how and why our customers use our products and services and will therefore be capturing a Customer Use Case.  As a controller, GBG has an obligation to our customers, partners and data subjects to make sure that the use of our products is in line with the GDPR and to achieve this we need to understand how and why those products are used.

The Information Commissioner’s Office, ICO, is the UK’s independent data protection regulatory authority set up to uphold information rights in the public interest. You can find out about the ICO by clicking ico.org.uk

Please email controller@gbgplc.com or speak to your Customer Success Manager.

What is a Customer Use Case

A Customer Use Case describes what you are using our services for. As a data controller we need to understand this to allow us to meet our obligations, under applicable data protection laws, to our customers, data suppliers and data subjects.

Customer Management Use Cases are for GBG customers who require data regarding individuals that are already a customer of theirs and Records Management Use Cases are for GBG customers who require data on individuals who they do not yet have a relationship with.

Customer Management (Appending)

You have a requirement to ensure that the personal data you hold is accurate and up-to-date, therefore you may wish to append new contact details for an individual where they have a right or obligation to do so. For clarity, this data cannot be used for marketing purposes. This may be provided in the form of statistics (a data health check) or a file.

Customer Management (Data Quality)

You have a legal requirement to ensure that the personal data you hold is accurate and up-to-date, therefore you must remove outdated records by suppressing or validating existing data for the purposes of reducing fraud, or contacting an individual where it is appropriate to do so. This may be provided in the form of statistics (a data health check) or a file.

Customer Management (Indicators)

You have a desire to understand an individuals’ personal data, therefore you may wish to append variables to gain further insight into your own customers. This may be provided in the form of statistics (a data health check) or a file.

Records Management (Appending)

You have a requirement to ensure that the personal data you hold is accurate and up-to-date, therefore you may wish to append new contact details for an individual, where they have a right or obligation to do so. This individual is not a direct customer so for example, it could be for market research purposes. For clarity, this is not for marketing purposes. This may be provided in the form of statistics (a data health check) or a file.

Records Management (Data Quality)

You have a requirement to ensure that the personal data you hold is accurate and up-to-date, therefore you must remove outdated records by suppressing or validating existing data. This individual is not a direct customer so for example, it could be for market research purposes. For clarity, this is not for marketing purposes. This may be provided in the form of statistics (a data health check) or a file.

Information on Lawful Processing Condition

GDPR sets out six ‘lawful processing conditions’ for processing personal data. At least one of these must apply in order for data to be processed lawfully.

Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

Contract

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests

The processing is necessary to protect someone’s life.

Public task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests

The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).