GBG's approach to GDPR compliance.
As a business built on data, we can't afford to get this wrong - so are committed to ensuring we do the right thing for GBG, our customers, the third parties we work with and individuals.
We know that complete GDPR compliance for GBG can only be achieved through a collaborative and transparent approach with our suppliers and customers. With over 15,000 customers across all sectors and operating in 71 countries, accessing data on 4.4 billion identities for a range of purposes, we're sure you can appreciate the complexities involved, and why it's taking us some time (as opposed to the time taken by some of our competitors who do not have the breadth of data that’s contained in our products). We also want to ensure that this is comprehensive and complete.
We’ve been receiving lots of questions from our customers, so we've provided some more information on the following areas:
- GDPR customer roll out
- Governance structure and GBG’s Data Protection Officer
- Data mapping
- Embedding data privacy into operations – training, awareness & PIAs
- Information security risk
- Third party risk and our data partners
- Responding to individual complaints and data subject access requests (DSARs)
- Data Privacy Breach Management Program
- Ongoing monitoring
GDPR Customer Roll Out
From 1st December we began to roll out a GDPR addendum to all our customers. All our customers need to agree to revised data protection terms to reflect the change from the Data Protection Act to General Data Protection Regulation (effective 25th May 2018). These clauses are standard; therefore we do not envisage them posing a challenge.
Where customers are processing personal data with GBG, as this is against third party data sources, we are asking our customers to advise us on the lawful processing condition for using our products/services. This ‘reason’ why will need to be determined by our customer, as they are the Data Controller. GBG is the Data Processor who acts under their instruction.
There are six lawful processing conditions:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
Consent is changing to be more explicit/transparent so at the point of data collection, the individual will need to be informed exactly how their data will be used and who it will be shared with. This makes it really difficult to achieve compliance for third parties using consent as one of their lawful bases for processing. Consent can be selected by our customer who is asking us to process data on their behalf, as they will hold the first party consent and will have advised their consumer as to how their data will be processed in their privacy notice.
Here’s some more information which may be helpful:
Governance Structure and GBG’s Data Protection Officer
Data privacy is discussed throughout GBG with regular presentations to the Board of Directors and Executive Team.
GBG’s named Data Protection Officer is Kate Lewis.
Kate leads the Privacy and Data Compliance Team, where each Compliance Manager has a core focus on the products GBG deliver, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
We've also created and launched a network of Data Guardians. This means we have a representative in every EEA GBG office that's received a deeper level of be/compliant training, allowing them to identify any risks and stop them from happening.
We've completed our data mapping exercise. We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems, processes and countries.
Embedding Data Privacy into Operations – Training, Awareness & PIAs
In January 2017 we launched an internal initiative called be/compliant. This ongoing program has 4 key principles to ensure our team members do the right thing:
- We’ll ensure we know what we can do with data, and if unsure, we’ll ask
- We’ll be clear about how we’re going to use data
- We’ll ensure we protect the data we hold/process
- We’ll ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all team members globally.
Privacy Impact Assessments (PIAs) are now compulsory across GBG for all new products/services and any third parties we share personal data with.
Information Security Risk
GBG is ISO27001 accredited, with some areas of our business also covered by PCI:DSS.
Led by our Chief Information Security Officer, the Information Security Team are focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure. Once a contract has been signed, this is also reviewed on an ongoing basis.
Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.
We have over 200 data partners globally, who need to comply with applicable data protection regulations. Depending on where the data partners is in the world, and what data they process, GDPR compliance may not be relevant..
Each party in the chain has an obligation to ensure the third parties they each work with measure up, which is something we’re committed to here at GBG.
Responding to individual complaints and data subject access requests (DSARs)
We already has a very robust process for dealing with consumer queries and subject access requests. This is a requirement under the Data Protection Act, therefore we're confident in our processes, which are tried/tested and we continually review for improvement. The key difference under GDPR is the timescale for response to a DSAR is reduced from 40 days to 30 days, which we do not foresee as an issue.
Our consumer query process is also used to monitor our customers, our data partners and our products/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.
Data Privacy Breach Management Program
We have an effective data privacy incident and breach management plan, which we'll continue to review and enhance as required.
There seems to be a lot of misconceptions about breach reporting, therefore we have really welcomed the ICO’s blog on this topic.
Extract from the blog:
“Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.”
Art. 33 (2) states as data processor, GBG’s obligation is to notify data controllers without undue delay after becoming aware of it. WP29 have provided some guidance on this which states:
The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.
Our position is, the regulation states without “undue delay”, therefore this is what we will abide by. However, we recognise that for our customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident.
Monitoring covers many areas at GBG.
Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We're regularly audited by external third parties – our customers, our data partners and external bodies, such as IESB when reviewing our ISO27001 status or PCI:DSS compliance.
A weekly regulatory monitoring report is issued to ensure we identify (and then action) privacy compliance requirements, such as changes in the law or best practice.
We're a member of IAPP, International Association of Privacy Professionals. We attend many conferences, webinars and are part of a compliance think tank with a number of businesses in the data industry.
As a PLC and a business built on data, we can't afford to get this wrong. The reputational risk far exceeds any fine. That's why we're committed to ensuring we do the right thing, for us, our customers, the third parties we work with and individuals.