It’s really important for all stakeholders we get this right - for individuals, our customers, suppliers, team members, investors and regulators. Building trust is of utmost important to us. We also acknowledge the risk of getting this wrong, financially and reputationally would be extremely damaging, so rest assured we do everything we can to mitigate against this.
We have invested heavily in our global privacy program and believe this summary should provide you with the assurance that when working with GBG, your data is in safe hands.
This statement will cover:
GBG’s Privacy Team is over 20 strong and incredibly experienced, with Exec Team Member representation to ensure privacy remains at our core.
This team is split into 3 key areas to help ensure GBG adhere to privacy regulation, which we know is important for you too, especially when we are processing your Customer data.
Our team includes:
Implemented in 2019, GBG utilise OneTrust, a global leader in privacy software, to underpin our global privacy management program. This has been working really well for us and helps ensure we have the right processes, controls and evidence to support compliance with privacy legislation globally.
We utilise OneTrust for Data Protection Impact Assessments (DPIAs), Data Transfer Impact Assessments (DTIAs), Legitimate Interest Assessments, Data Mapping, Privacy Due Diligence, Privacy Risk Management, Data Subject Rights, Cookie Management, and more.
Regardless of where we’re operating globally, DPIAs are mandatory at GBG as we believe this process and documentation identifies the most effective way to ensure compliance with data protection obligations and to meet an individual’s expectations of privacy.
We have a robust onboarding process for all third parties globally, which includes privacy and information security due diligence.
Ensuring third party data has been gathered lawfully and any processing has appropriate technical and organisational measures to ensure it is processed securely, before we share it with our customers is crucial.
Data Suppliers must complete due diligence before we start using them and on a periodic basis to ensure standard are maintained. They must answer a very detailed questionnaire where they demonstrate data has been gathered lawfully, how it is processed, what technical and organisational measures they have in place, their lawful basis for processing, the source of the data, a copy of their privacy notice, how this data can be used by GBG and our Customers to mention a few areas we review.
DD questionnaires and DPIAs for data suppliers are mandatory here at GBG. We are also able to, and do, conduct desk based research and onsite audits, plus monitor the quality of data via our production processes and data subject rights.
GBG’s reputation is important to us – it’s vital that we operate lawfully and securely and can evidence our assessments if asked to by individuals or a regulator. We know how crucial this is in building customer confidence in GBG products and services.
It is imperative that we can demonstrate how we fulfil our Article 14 obligations under GDPR. What this means in the simplest form is that an individual should be aware of how their data will be used, by whom and how long we will retain this for.
To support GBG’s external operations, such as when you use our website, enter into a contract with GBG or visit one of our offices, you can view the privacy notice here: https://www.gbgplc.com/en/legal-and-regulatory/privacy-policy/
To support GBG products and services we have created a specific privacy notice which can be found here: https://www.gbgplc.com/products-services-privacy-policy/
We invite our Customers and Data Suppliers to link to GBG’s products and services privacy notice so it is crystal clear what GBG does. As part of our supplier due diligence program, we ensure our data suppliers meet this requirement where applicable.
For individuals, GBG’s privacy notices outline your rights specific to the processing and how you can interact with GBG. This includes right of access, rectification and deletion of an individuals' data, among others.
It’s also worth noting that GBG may have a privacy notice specific to the processing taking place e.g. one of GBG’s products is offered via an app which contains a privacy notice within it.
We have a robust process for dealing with consumer queries and data subjects rights, but continually review this for improvement.
Our consumer query process is also used to monitor our customers, our data partners and our products/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.
Internally we have an initiative called be/compliant. This ongoing program has 4 key principles to ensure our team members do the right thing:
• We’ll ensure we know what we can do with data, and if unsure, we’ll ask
• We’ll be clear about how we’re going to use data
• We’ll ensure we protect the data we hold/process
• We’ll ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all team members globally. New Team Members complete the mandatory training when they join GBG and then everyone, regardless of role or seniority, must complete this annually. If there is a specific update or training which needs to be shared, this is done at the point in time.
GBG is ISO27001 certified, with some areas of our business also covered by PCI-DSS, Cyber Essentials and/or Cyber Essentials Plus.
The Information Security Team are focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
GBG’s 24 x 7 Security Operations Centre responds to any event or notification for investigation to uphold the security posture of GBG. Therefore, GBG have eyes and ears on the threats and threat actors that are likely to be attracted to GBG and the data that the organisation processes. GBG understands the critical need for technical and organisational control implementation to ensure GBG operates securely.
GBG recognise the importance of maintaining service availability to our customers and have comprehensive incident processes in place over all services in GBG Plc.
Aligned with the Information Technology Infrastructure Library (ITIL) framework, GBG have detailed policies, processes and procedures in place covering Incident and Problem Management, Change Management, Access Management, Capacity Management and Risk Management among others.
In the event of a major incident, GBG has a detailed and documented Incident Management Plan which outlines the processes to be followed in the event of such as incident including the role of our Crisis Management Team. This plan is periodically tested to assure GBG’s ability to respond to any major incident successfully.
Monitoring covers many areas at GBG.
Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We're regularly audited by external third parties – our customers, our data partners and external bodies such as our certification body BSI – and we run an internal audit program ensuring continual review and improvement within our ISO27001 certified activities
We conduct ongoing regulatory monitoring report to ensure we identify (and then action) privacy compliance requirements, such as changes in the law or best practice. We are also members of IAPP, International Association of Privacy Professionals which is another great source of news and resources.
As a PLC, who operates globally in over 70 countries, with more than 19,000+ customers, processing over 76 billions transactions a year, you can rest assured GBG takes privacy and information security very seriously.