GBG (and therefore the products you use) will be GDPR compliant by the deadline of 25th May 2018, although it is our aspiration for this to be achieved earlier.
We're very active in our GDPR readiness preparations. As a business built on data, we can't afford to get this wrong - so are committed to ensuring we do the right thing for GBG, our customers, the third parties we work with and individuals.
After many years monitoring and understanding the changes GDPR will bring, we've developed an established plan for compliance. Driven by a team of qualified Data Protection Practitioners, we're focussed on ensuring all tasks are in play, that they continue to progress, and by 25th May 2018, can be evidenced to demonstrate compliance.
We know that complete GDPR compliance for GBG can only be achieved through a collaborative and transparent approach with our suppliers and customers. Whilst we're pragmatic that some of our data suppliers (we have over 200) may not complete the journey, we're working closely with them all to ensure that as many as possible will make the grade and continue to be used in our portfolio of products.
With over 15,000 customers across all sectors and operating in 71 countries, accessing data on 4.4 billion identities for a range of purposes, we're sure you can appreciate the complexities involved, and why it's taking us some time (as opposed to the time taken by some of our competitors who do not have the breadth of data that’s contained in our products). We also want to ensure that this is comprehensive and complete.
We’ve been receiving lots of questions from our customers, so we've provided some more information on the following areas:
- GDPR customer roll out
- Governance structure and GBG’s Data Protection Officer
- Data mapping and GBG’s Data Asset Register
- Embedding data privacy into operations – training, awareness & PIAs
- Information security risk
- Third party risk and our data partners
- Responding to individual complaints and data subject access requests (DSARs)
- Data Privacy Breach Management Program
- Ongoing monitoring
Like many companies, we've been waiting on guidance to be issued by the ICO and EU’s Article 29 Working Party. We recognise we can't wait until all guidance has been released to implement our GDPR program, so have been pragmatic, progressing with our plan. We continue to review guidance as it becomes available and will adjust our implementation if appropriate.
GDPR Customer Roll Out
From 1st December we'll start to roll out a GDPR addendum to all our customers. This must be signed, with additional information provided, to allow GBG and our customers to meet our GDPR obligations.
All our customers need to agree to revised data protection terms to reflect the change from the Data Protection Act to General Data Protection Regulation (effective 25th May 2018). These clauses are standard; therefore we do not envisage them posing a challenge.
We'll also require our customers to advise us on the lawful processing condition for using our products/services. This ‘reason’ why will need to be determined by our customer, as they are the Data Controller. GBG is the Data Processor who acts under their instruction.
There are six lawful processing conditions:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
Other than for our own direct marketing, consent is not a processing condition we'll be able to rely on for any third party data we share. Consent is changing to be more explicit/transparent so at the point of data collection, the individual will need to be informed exactly how their data will be used and who it will be shared with. This makes it really difficult to achieve compliance for third parties using consent as one of their lawful bases for processing. Consent can be selected by our customer who is asking us to process data on their behalf, as they will hold the first party consent and will have advised their consumer as to how their data will be processed in their privacy notice.
Here’s some more information which may be helpful:
Governance Structure and GBG’s Data Protection Officer
Data privacy is discussed throughout GBG with regular presentations to the Board of Directors and Executive Team.
GBG’s named Data Protection Officer is Kate Lewis.
Kate leads the Privacy and Data Compliance Team, where each Compliance Manager has a core focus on the products GBG deliver, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
We've also created and launched a network of Data Guardians. This means we have a representative in every EEA GBG office that's received a deeper level of be/compliant training, allowing them to identify any risks and stop them from happening.
Data Mapping and GBG’s Data Asset Register
We've largely completed our data mapping exercise. We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems, processes and countries.
A lot of information that already exists within GBG is held across a number of systems, so we're in the process of implementing a Data Asset Register, which will automate as much activity as possible, aiding transparency and supporting the tight controls which are required to ensure compliance.
Embedding Data Privacy into Operations – Training, Awareness & PIAs
We've launched an internal initiative called be/compliant. This ongoing program has 4 key principles to ensure our team members do the right thing:
- We’ll ensure we know what we can do with data, and if unsure, we’ll ask
- We’ll be clear about how we’re going to use data
- We’ll ensure we protect the data we hold/process
- We’ll ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all team members globally.
Privacy Impact Assessments (PIAs) are now compulsory across GBG for all new products/services and any third parties we share personal data with.
Retrospective PIAs for existing products/services have been completed, with any changes required to ensure we achieve GDPR compliance identified. These changes are now in development and will be released as soon as they are available, but definitely in time for 25th May 2018. This means any products you use from GBG will support your own GDPR compliance.
Information Security Risk
GBG is ISO27001 accredited, with some areas of our business also covered by PCI:DSS.
Led by our Chief Information Security Officer, the Information Security Team are focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure. Once a contract has been signed, this is also reviewed on an ongoing basis.
Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.
We have over 200 data partners globally, who need to comply with applicable data protection regulations. Depending on where the data partners is in the world, and what data they process, GDPR compliance may not be relevant. If they need to comply with GDPR, we'll ensure they do. If they don’t comply, it would mean neither can GBG or our customers, which is clearly not acceptable.
Each party in the chain has an obligation to ensure the third parties they each work with measure up, which is something we’re committed to here at GBG.
Our dedicated Data Strategy Team have been in conversation with our data partners and those that need to be compliant all have active GDPR plans. Many of these businesses aren't there yet, but will be prior to 25th May 2018. If they're not, we won't be sharing their data so you can be confident that any data which is subject to GDPR, will be fully compliant.
Responding to individual complaints and data subject access requests (DSARs)
We already has a very robust process for dealing with consumer queries and subject access requests. This is a requirement under the Data Protection Act, therefore we're confident in our processes, which are tried/tested and we continually review for improvement. The key difference under GDPR is the timescale for response to a DSAR is reduced from 40 days to 30 days, which we do not foresee as an issue.
Our consumer query process is also used to monitor our customers, our data partners and our products/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.
Data Privacy Breach Management Program
We have an effective data privacy incident and breach management plan, which we'll continue to review and enhance as required.
There seems to be a lot of misconceptions about breach reporting, therefore we have really welcomed the ICO’s blog on this topic.
Extract from the blog:
“Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.”
Art. 33 (2) states as data processor, GBG’s obligation is to notify data controllers without undue delay after becoming aware of it. WP29 have provided some guidance on this which states:
The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.
Our position is, the regulation states without “undue delay”, therefore this is what we will abide by. However, we recognise the for our customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident.
Monitoring covers many areas at GBG.
Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We're regularly audited by external third parties – our customers, our data partners and external bodies, such as IESB when reviewing our ISO27001 status or PCI:DSS compliance.
A weekly regulatory monitoring report is issued to ensure we identify (and then action) privacy compliance requirements, such as changes in the law or best practice.
We're a member of IAPP, International Association of Privacy Professionals. We attend many conferences, webinars and are part of a compliance think tank with a number of businesses in the data industry.
As a PLC and a business built on data, we can't afford to get this wrong. The reputational risk far exceeds any fine. That's why we're committed to ensuring we do the right thing, for us, our customers, the third parties we work with and individuals.