With GDPR coming into effect on the 25th May 2018, we've added functionality for our customers to remove Personally Identifiable Information (PII) from their GBG ID3global audit trail.
This new functionality includes the ability to set a standard retention period for the length of time necessary to hold PII.
To ensure our solutions are GDPR compliant, we've been undergoing a complete review of all of our third party data suppliers that power our solutions.
We have over 200 data partners globally, therefore part of our preparation for GDPR has included a review of all of our products, and the data we use to provide our services to you.
We've been undergoing a complete review of all of our products and the data we use to provide our services to you. We have over 200 data partners globally, therefore part of our preparation for GDPR has included carrying out further due diligence on all of our third party suppliers to confirm that the data they hold and provide to us continues to be gathered lawfully, and to ensure any data we share with them will be secure.
Although GDPR compliance may not be relevant for all of our data partners or for all of our customers, all suppliers have been subject to our GDPR due diligence process to ensure we can provide clear information to our customers about the data they use so they can make an informed choice about the services they take. We're also working with all suppliers globally to ensure that they agree to comply with the same data protection obligations as we do, which will be equivalent to those of GDPR where possible.
All of our partners providing datasets that are sourced and held within the EEA have provided sufficient guarantees that the data they collect has been done so lawfully, and that their Information Security standards will all be in line with GDPR on May 25th. For our Spanish supplier, we've chosen to make changes to the service to ensure compliance with GDPR. These changes will be communicated with you separately should you take this service. Please also see question 3 below.
The Spanish datasets (284 Spain Population, 285 Spain Consented and 286 Spain Telephone) will be replaced with new item checks. These new item checks will be: Spain Population (DNI/NIF), Spain Consumer and Spain Commercial.
We'll continue to provide service through item checks 284, 285 and 286 for a limited time period, providing the opportunity for you to migrate to our new item checks. Please be aware that although the existing Spanish checks do not fully meet all of the due diligence requirements that we've requested inline with GDPR, we've decided to continue to provide this service to customers during the transition period to ensure that they're not without a service, and that you can continue to meet the regulatory requirements of your organisation. We believe that the ability to perform AML and KYC checks balances out the minimal risk identified with the current dataset.
For your information, the reason why our Spanish data set hasn't passed our comprehensive due diligence checks is because as we believe the supplier is not collecting the data held in their database in line with the new requirements. Notwithstanding this, we believe that continued use of this item check is low risk to our customers as this Spanish data is not shared with you and is only used to provide you with intelligence and information.
If you would prefer not to use the existing Spanish item check after 25th May 2018, please let your account manager know and we will support you to make the required changes to your services.
Some datasets outside of the EEA are not subject to GDPR in their own right, but have provided sufficient guarantees to meet their local laws. However, in preparation for GDPR, we've carried out the same level of due diligence on these non-EEA suppliers as with EEA suppliers. As part of this process, we've identified a few suppliers that may not fully meet all of the requirements set out within GDPR by the 25th May 2018. We'll continue to work with them to update and change their processes to enable them to achieve a standard that's aligned with GDPR as soon as possible.
The following suppliers have provided sufficient guarantees to meet their local laws, however may not be able to demonstrate sufficient guarantees and appropriate technical and organisational measures which fully meet the requirements of GDPR by 25th May 2018.
ITEM CHECK No 287 Brazil Population
ITEM CHECK No 278 Mexico Population
ITEM CHECK No 249 South Africa Financial (ID Number)
ITEM CHECK No 259 South Africa Population
ITEM CHECK No 324 Hong Kong Population
ITEM CHECK No 256 Argentina Financial (DNI)
Whilst not aligned with GDPR as a regulation, each supplier has warranted the data it holds is sourced and processed according to applicable local regulation. These databases typically include data on data subjects who reside in the country in question. For example, our South African service contains data on South African citizens. As the data is specific to a non-EEA country, we believe the risk linked to GDPR is very low.
Our commitment to you is that we will provide full transparency on the status of all third parties and ongoing updates on the work we're undertaking with our partners. This approach will allow you to make an informed decision regarding the data that you control.
Our legal team are also working with all data partners to review the additional terms which apply to each item check, and to provide a summary of critical information about each supplier.For example, whether the supplier will have access to your customer data, where the suppliers are based and, where relevant, what method of safe transfer will apply for transfers of data outside the EEA. These updates terms will be sent out to all customers in May.
We currently hold all PII data for the length of the agreement with our customers.
Customer input data, Document detail, PEP & Sanction matches.
Single record deletion, click on authentication and remove PII data manually. This can also be done via the web service if the customer wishes to remove a block of authentications within their retention period.
Yes, by using the scheduled data extract functionality within the Admin site.
GDPR says “For as long as is necessary for the purpose for which it was collected”
JMLSG says 5 years after the end of the customer relationship.
PII is any information relating to an individual which can be used to either directly or indirectly identify them.
GDPR highlights in particular identifying an individual by reference to a name, ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We want to enable customers to choose whether or not they wish to set a Data Retention period within GBG ID3global and do not want to automatically add this functionality to accounts which would make it mandatory to do so.
Currently no, this is to ensure our customers can help themselves to comply with GDPR regulations, this service is provided at no cost to our existing clients.
Contact your account manager to enable functionality on your licence.