We’re proud to operate to the highest standards, both meeting our privacy obligations from around the world to our customers and data subjects, whilst also delivering the innovative solutions our customers expect. As a result, we have taken the decision to act as a data controller for some of our products and services.
Becoming a controller, means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.
For more information about our approach to Privacy see here.
The information on this page is intended to provide our customers with further information about our transition to become a data controller for some of our products and services. If you have a question that is not covered here, please get in touch with your Customer Success Manager or ask for help on our customer support page.
As a data controller we need to understand your use of our services to ensure the data that is presented to you aligns to your use.
Each of our products have their own pre-defined use cases which can be found on our legal product pages linked below.
The GDPR sets out six lawful processing conditions for processing personal data. For customers based in the UK or EU and/or processing UK/EU personal data at least one must apply.
A reminder of the six lawful processing conditions can be found below.
The individual has given clear consent for you to process their personal data for a specific purpose.
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The processing is necessary for you to comply with the law (not including contractual obligations).
The processing is necessary to protect someone’s life.
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Please see a selection of frequently asked questions.
If you have a question that is not covered here, please get in touch with your Customer Success Manager or ask for help on our customer support page.
At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so they can transact quickly, safely and securely with their customers online. We’re proud to operate to the highest standards, both meeting our privacy obligations from around the world to our customers and data subjects, whilst also delivering the innovative solutions our customers expect.
We are continually assessing and evolving our products and as such GBG is pleased to confirm that we will become a Data Controller for some of the products and services we provide to you, moving forwards. This is a standard that other data businesses may not yet be adhering to, but we are setting a standard that regulators around the world are coming to expect.
Becoming a controller means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.
What is the impact of GBG becoming a data controller for my organisation?
We are asking all customers and suppliers to sign updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party. Without an updated agreement we will be unable to continue to provide the service to you.
Why have I been asked to sign a new agreement?
Our existing agreement does not reflect our new position as a data controller and is therefore out of date. As part of our move to becoming a data controller we’ve taken the opportunity to transform our contracting process. We’ve had to make necessary changes to the privacy and data protection obligations to reflect our status as a data controller. We’ve also taken the opportunity to listen to customer feedback and have made further improvements designed to make contracting with us quicker and easier for you. An overview of the changes to our new terms can be found here.
Have GBG made any changes to my service?
In order to meet our controller obligations, GBG requires visibility of what personal data is processed, when, how and who this has been shared with. To achieve this, we have created a GBG Audit Trail for most products* in which we hold evidence of each transaction for 12 months. Retention of this data is necessary to enable GBG to respond when an individual wishes to exercise a data subject right. GBG’s Audit Trail is independent of the one (if you have one), you as GBG’s Customer can control. There have been no changes to your Audit Trail, which you can continue to manage as you see fit, as a separate Independent Controller to GBG.
(*Investigate and Loqate Address services do not have an audit trail as it is not required).
What are the benefits to me as a customer?
Becoming a data controller, means that GBG is taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.
When is this change happening?
This change is occurring now. Our initial focus has been to update our agreements with our data suppliers. We have also made changes to our products to align with our position as a data controller. We are now beginning the process of updating our existing customer agreements in a phased approach.
What is the difference between a data processor and a data controller?
In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.
A data processor simply processes data that the data controller provides to them under specific contractual obligations.
As a data controller, how will GBG comply with data subject rights?
The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation to responses to subject access requests. You as GBG’s customer will be an independent data controller and will continue to have the same responsibility to data subjects as you do today. GBG will continue to support you where needed.
Going forward, GBG will also act an independent data controller. This means that GBG also needs to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with. GBG has therefore created and will hold a GBG Audit Trail for a period of 12 months. This is in addition to your own Audit Trail, which you control. The GBG Audit Trail will be retained so GBG can respond to an individual who is exercising their data subject rights with us. This is not further processed by GBG and is recorded as a “point in time” check for the sole purpose of responding to data subject rights, with access to this database restricted to the GBG Privacy Team only.
What changes have GBG made to support their new role as a data controller?
GBG has invested significantly in our Privacy and Data Compliance team, which now has over 20 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future.
We also need to understand how and why our customers use our products and services and will therefore be capturing a Customer Use Case. As a controller, GBG has an obligation to our customers, partners and data subjects to make sure that the use of our products is in line with the GDPR and to achieve this we need to understand how and why those products are used.
Why is GBG a separate and independent controller?
GBG determines which personal data it collects and how or if data is used within our overall product offerings. Whilst we may not choose specifically what data is collected from an individual (often our Supplier, or another third party does this), we still determine which data to collect for use within our products.
Our end customers have no outright control or say in the range of personal data that we collect or suppliers that we engage with in order to provide GBG's overall product offerings. Regardless of specific customer requests, GBG ultimately decides what data is included within our products. In addition to this:
Can GBG be a processor of the Customer Data and a controller of the Supplier Data?
No, this is one processing activity and it therefore it cannot be segregated. In addition, this is captured as one record in GBG’s Audit Trail for the sole purpose of responding to Data Subject Rights. GBG must clearly be able to advise an individual what data we hold on them, who we received it from, what we did with it and who we then shared it with.
Who is the UK Information Commissioner?
The Information Commissioner’s Office, ICO, is the UK’s independent data protection regulatory authority set up to uphold information rights in the public interest. You can find out about the ICO by clicking ico.org.uk
Where can I go for further information?
Please speak to your Customer Success Manager or ask for help on our customer support page.