GBG’s Privacy Approach
Throughout GBG, including at Board level, we have always been committed to implementing leading data protection standards, to ensure we comply with applicable legislation and process data securely. This isn’t enough, with GBG believing ethical use of data goes beyond this. We support this by placing individuals at the heart of what we do, which gives the added benefit of building trust with all stakeholders: individuals, our customers, suppliers, team members, investors and regulators.
We have invested heavily in our global privacy program and believe this summary should provide you with the assurance that when working with GBG, your data is in safe hands.
This statement will cover:
• Our Team
• GBG’s Privacy Management Platform
• Due Diligence
• Transparency
• Data Subject Rights
• Training & Awareness
• Information Security Risk
• Incident Response Plan
• Ongoing Monitoring
If you are interesting to learn more about GBG’s approach to AI, click here.
An Experienced Team
GBG’s Privacy Team is over 20 strong and incredibly experienced, with Exec Team Member representation to ensure privacy remains at our core.
This team is split into 3 key areas to help ensure GBG adhere to privacy regulation, which we know is important for you too, especially when we are processing your Customer data.
Our team includes:
- Data Protection Experts who ensure we have the right controls in place so we can achieve compliance with privacy legislation
- Data Subject Rights team who manage requests from individuals and our data suppliers
- Data Auditors who review third party due diligence, auditing customers, suppliers and internally for compliance with privacy legislation and our data licences (from our data suppliers).
GBG’s Privacy Management Platform
Implemented in 2019, GBG utilise OneTrust, a global leader in privacy software, to underpin our global privacy management program. This has been working really well for us and helps ensure we have the right processes, controls and evidence to support compliance with privacy legislation globally. Baked into this, individuals are at the heart of what we do. Ethical use of data is an everyday effort, with robust processes and procedures to ensure processing is within the expectations of an individual, that involves minimisation in terms of collection, storage and purpose, plus timely notification where required
We utilise OneTrust for Data Protection Impact Assessments (DPIAs), Data Transfer Impact Assessments (DTIAs), Legitimate Interest Assessments, Data Mapping, Privacy Due Diligence, Privacy Risk Management, Data Subject Rights, Cookie Management, AI Conformity Assessments and more.
Regardless of where we’re operating globally, DPIAs are mandatory at GBG as we believe this process and documentation identifies the most effective way to ensure compliance with data protection obligations and to meet an individual’s expectations of privacy.
Industry Leading Due Diligence
We have a robust onboarding process for all third parties globally, which includes privacy and information security due diligence.
Ensuring third party data has been gathered lawfully, is within the expectations of an individual and any processing has appropriate technical and organisational measures to ensure it is processed securely, before we share it – for both our customers and individuals is crucial.
Data Suppliers must complete due diligence before we start using them and on a periodic basis to ensure standard are maintained. They are required to answer a very detailed questionnaire where they demonstrate data has been gathered lawfully, how it is processed, what technical and organisational measures they have in place, their lawful basis for processing, the source of the data, a copy of their privacy notice, how this data can be used by GBG and our customers to mention a few areas we review.
Due diligence and DPIAs for data suppliers are mandatory here at GBG. We are also able to, and do, conduct desk based research and onsite audits, plus monitor the quality of data via our production processes and data subject rights.
GBG’s reputation is important to us – it’s vital that we operate lawfully and securely and can evidence our assessments if asked to by individuals or a regulator. We know how crucial this is in building customer confidence in GBG products and services.
Transparency
It is imperative that we can demonstrate how we fulfil our Article 13 & 14 obligations under GDPR, plus other regulation globally. What this means in the simplest form is that an individual should be aware of how their data will be used, by whom and how long we will retain this for. Baked into this is minimisation. We should only collect data we need, limiting how long we hold it for and for a specific purpose.
To support GBG’s external operations, such as when you use our website, enter into a contract with GBG or visit one of our offices, you can view the privacy notice here: https://www.gbgplc.com/en/legal-and-regulatory/privacy-policy/
To support GBG products and services we have created a specific privacy notice which can be found here: https://www.gbgplc.com/products-services-privacy-policy/
We invite our Customers and Data Suppliers to link to GBG’s products and services privacy notice so it is crystal clear what GBG does. As part of our supplier due diligence program, we ensure our data suppliers meet this requirement where applicable.
For individuals, GBG’s privacy notices outline your rights specific to the processing and how you can interact with GBG. This includes right of access, rectification and deletion of an individuals’ data, among others.
It’s also worth noting that GBG may have a privacy notice specific to the processing taking place e.g. one of GBG’s products is offered via an app which contains a privacy notice within it.
Data Subject Rights
We have a robust process for dealing with consumer queries and data subjects rights, ensuring timely communication, but continually review this for improvement.
Our consumer query process is also used to monitor our customers, our data partners and our products/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.
Training & Awareness
To deliver on our data ethics target, internally we have an initiative called be/compliant. This ongoing program has 4 key principles to ensure our team members do the right thing:
- We’ll ensure we know what we can do with data, and if unsure, we’ll ask
- We’ll be clear about how we’re going to use data
- We’ll ensure we protect the data we hold/process
- We’ll ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all team members globally. New Team Members complete the mandatory training when they join GBG and then everyone, regardless of role or seniority, must complete this annually. If there is a specific update or training which needs to be shared, this is done at the point in time.
Information Security Risk
GBG is ISO27001 certified, with some areas of our business also covered by PCI-DSS, Cyber Essentials and/or Cyber Essentials Plus.
The Information Security Team are focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
GBG’s 24 x 7 Security Operations Centre responds to any event or notification for investigation to uphold the security posture of GBG. Therefore, GBG have eyes and ears on the threats and threat actors that are likely to be attracted to GBG and the data that the organisation processes. GBG understands the critical need for technical and organisational control implementation to ensure GBG operates securely.
Incident Response Plan
GBG recognise the importance of maintaining service availability to our customers and have comprehensive incident processes in place over all services in GBG Plc.
Aligned with the Information Technology Infrastructure Library (ITIL) framework, GBG have detailed policies, processes and procedures in place covering Incident and Problem Management, Change Management, Access Management, Capacity Management and Risk Management among others.
In the event of a major incident, GBG has a detailed and documented Incident Management Plan which outlines the processes to be followed in the event of such as incident including the role of our Crisis Management Team. This plan is periodically tested to assure GBG’s ability to respond to any major incident successfully, ensuring all relevant third parties – individuals, customers and suppliers are informed in a timely manner.
Ongoing Monitoring
Monitoring covers many areas at GBG.
Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We’re regularly audited by external third parties – our customers, our data partners and external bodies such as our certification body BSI – and we run an internal audit program ensuring continual review and improvement within our ISO27001 certified activities.
We conduct ongoing regulatory monitoring report to ensure we identify (and then action) privacy compliance requirements, such as changes in the law or best practice. We are also members of IAPP, International Association of Privacy Professionals which is another great source of news and resources.
As a PLC, who operates globally in over 70 countries, with millions of people around the world interacting with our solutions everyday, you can rest assured GBG takes privacy and information security very seriously.