Loqate, a GBG solution
Loqate

On this page, we answer a few of the most commonly asked questions concerning privacy, including our role in data protection, data sharing and compliance.

Introduction to privacy awareness and Kate Lewis, Data Protection Officer, GBG.

Hi, I’m Kate Lewis, I lead GBG’s Privacy Team and I’m also GBG’s Data Protection Officer under GDPR. For other legal entities or in other jurisdictions we may have different representatives.

I’ve been with GBG since 2006 when I joined as a Product Manager. From there I looked after Data Contracts, which naturally led to Privacy and Data Compliance. I recruited my first privacy expert at the start of 2015 and my team have now grown to over 20 of us globally.

Essentially my team have 3 key areas to help ensure GBG adhere to privacy regulation, which we know is important for you too, especially when we processing your Customer data. These include:

  • Data Protection Managers who ensure we have the right controls in place so we can achieve compliance with privacy legislation
  • Data Subject Rights team who manage requests from individuals and our data suppliers
  • Data Audit team who review third party due diligence, auditing customers, suppliers and internally for compliance with privacy legislation and our data licences from our data suppliers.

Implemented in 2019, GBG utilise OneTrust to underpin our global privacy management program. This has been working really well for us and helps ensure we have the right processes, controls and evidence to support compliance with privacy legislation globally.

Is GBG a Data Processor or Data Controller?

I often get asked if GBG is a Data Processor or Data Controller and my answer back is “it depends”. We complete a robust assessment and document this outlining GBG’s role.

In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws. A data processor simply processes data that the data controller provides to them under specific contractual obligations.

For many of GBG’s products and services, such as Data Maintenance, we are a separate independent data controller to our customer because we develop the software which matches the data to third party supplier data we have identified.

GBG being a separate independent data controller does not mean we can do what we want with your customer data. In the simplest form, it means we keep a log of all transactions, which happen at a point in time, so if an individual asks, we can tell them who we have shared their personal data with.

Becoming a data controller, means that GBG is taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.

What are the lawful bases for processing data under GDPR, and why do we need to select one?

GDPR sets out six ‘lawful processing conditions’ for processing personal data. At least one of these must apply in order for data to be processed lawfully. These are:

  • 1. Consent.This must be freely given, specific, informed and unambiguous. It requires a clear affirmative action from the data subject and we must be able to evidence it was given.
  • 2. Contractual necessity.This is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • 3. Compliance with a legal obligation.This is where an organisation needs to comply with a law. For example, in the UK, employers need to process personal data to comply with their legal obligation to disclose employee salary details to Her Majesty's Revenue and Customs (HMRC).
  • 4. Vital interests.Processing must be necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent. For example, serving a humanitarian purpose (e.g. monitoring epidemics) or in connection with humanitarian emergencies (e.g. disaster response).
  • 5. Public interest.This must be necessary for the performance of a task carried out in the interest of the public or in the exercise of an official duty.
  • 6. Legitimate interest.Processing must be necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The expectations of data subjects should be considered when assessing whether our legitimate interests are outweighed by the interests of the data subject, which requires completing a balancing exercise.

The ICO has some really helpful guidance on their website to support you with this if you are unsure.

Why are we being asked to provide a processing ‘use case’ and what are they?

A Customer Use Case describes what you are using our services for. As a data controller we need to understand this to allow us to meet our obligations, in the same way you need to justify your processing as a Data Controller. We have to be clear as to why we are processing personal data to comply with applicable data protection laws, fulfil our licensing obligations to data suppliers and meet an individual’s expectation of how their data will be processed.

We recognise our customers use our products and services differently, so we have considered this. If you would like to use a GBG service in a different way, then let us know. We can assess this to ensure using data in this way is possible, as in addition to privacy legislation, we have contractual restrictions with our data suppliers, and it depends on what an individual has been told at the point of capture.

Why do you need to know the name of our Data Protection Officer?

There are a couple of reasons why we need to know who your Data Protection Officer is. Under the UK Data Protection Act, UK GDPR and EU GDPR, GBG, and you will also have the same obligations.

We must each have a “Record of Processing” for any entity we share personal data with. The DPO name and contact details is a mandatory part of this record. Secondly, if there was a data breach, we would be required to contact within 72 hours therefore need this information readily available.

GBG’s DPO contact details are:

Kate Lewis with the email address DPO@gbgplc.com and phone number 01244 657277.

How long do GBG hold customers’ data for, and how can we be sure that it will not be used for any other purpose than for that we have permitted within the agreement?

The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation data retention. You as GBG’s customer will be an independent data controller and will continue to have the same responsibility to data subjects as you do today. GBG will continue to support you where needed.

GBG acts as separate independent data controller. This means that GBG also needs to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with. GBG has therefore created and will hold a GBG Audit Trail for a period of 12 months. The data is a log of a transaction at a point in time. It is not further processed or shared with third parties. Access is limited to the privacy team for the sole purpose of responding to an individual who has asked GBG what data we hold on them and who has we shared it with.

Data retention is covered in the terms and conditions for the service you take from GBG and it will vary, for example for Data Maintenance customer data and copies of any input files are automatically deleted after 90 days, unless you specific a shorter period.

Where will our data be stored and processed, and specifically will it be processed outside of the EEA?

For Data Maintenance, the vast majority of our processing is within the UK. There is a small minority of services where we do process outside of the UK, for example if you would like us to check if an email address is valid, this is transferred to the US. We make it really clear to you when a data transfer happens via our Terms & Conditions, with Additional Terms specific to different services. As Data Controllers we each need to assess data transfers, so need to understand where data is collected, stored and processed.

How can we be sure that the third-party data you are processing our data against has been captured fairly, lawfully, and transparently?

To have confidence the third-party data GBG process customer data against has been gathered and shared lawfully, we have implemented a robust due diligence program. We have a recruited a dedicated data audit team to manage this process.

Data Suppliers must complete due diligence before we start using them and on a periodic basis to ensure standard are maintained. Data Suppliers must answer a very detailed questionnaire where they demonstrate data has been gathered lawfully, they disclose their lawful basis for processing, the source of the data, a copy of their privacy notice, how this data can be used by GBG and our Customers to mention a few areas we review.

DD questionnaires and DPIAs for data suppliers are mandatory here at GBG. We are also able to, and do, conduct desk-based research and onsite audits, plus monitor the quality of data via our production processes and data subject rights. GBG’s reputation is important to us – it’s important we operate lawfully and can evidence the assessments if asked by individuals or a regulator.

When we use Loqate to append contact information, what are we permitted to use this data for?

Appending is where the customer is required to ensure personal data is accurate and up-to-date, therefore you may wish to append new contact details for an individual where you have a right or obligation to do so.

None of the contact data GBG append, e.g. an email address or phone number has been gathered for marketing purposes as we do not believe from our due diligence we could evident this is compliant under PECR.

As you are a separate independent controller to GBG, it is up to you to decide if you have the right to append a phone number for an individual whose data you hold. What did you tell them at the point of capture? Would this be in their expectations? For what purposes can you process this data? You must be able to justify this if asked by an individual so we would suggest speaking with your privacy or legal contact within your organisation if you have any questions.

How can we be sure that Loqate/GBG will hold our data securely and not increase the risk of a data breach?

At GBG we use several industry recognised standards and frameworks that ensure appropriate security controls are in place to ensure any data stored or processed is protected to minimise the risk of a data breach. GBG currently hold ISO27001 certification, have Cyber Essentials and are PCI DSS compliant within Loqate and ID3global. GBG has a dedicated and experienced Information Security team, including a 24/7 security operations centre that responds to any event or notification for investigation to uphold the security posture of GBG. Therefore, GBG have eyes and ears on the threats and threat actors that are likely to be attracted to GBG and the data that as an organisation is processed. GBG takes technical and organisation measures very seriously.