Why data suppression is key to GDPR compliance

Removing records of deceased customers and updating those of home-movers has long been the nuts-and-bolts of direct marketing, but the GDPR (General Data Protection Regulation) is set to elevate data suppression further up the corporate information management agenda. Here’s why.

Data accuracy is all

Data accuracy lies at the heart of the regulation. It specifies that customer information must be accurate and up-to-date, and that “every reasonable step” should be taken to delete or correct any inaccuracies as quickly as possible.

Holding records of the deceased, or out-of-date information on customers who have moved house (‘goneaways’) is a clear infringement of these rules.

>See also: The road to GDPR implementation: challenges and opportunities ahead

The regulation also stipulates that personal information may only be kept for as long as it fulfils its original purpose. This sounds a further warning to companies who have details of deceased individuals on their database (whether knowingly or not). Unless there is a legal justification for keeping these records, they should be removed as they no longer meet the criteria of serving their initial, legitimate purpose.

Contravening these core principles of data accuracy by not maintaining databases properly could represent a technical breach of the GDPR and incur financial penalties of 4% of global group turnover, or €20 million.

Demonstrating compliance

Accountability is an overarching goal of any regulation, and on this matter the GDPR explicitly states: “The controller shall be responsible for, and be able to demonstrate compliance”.

Proving that your organisation can adhere to the required standards not only reduces risk but displays a transparent and co-operative attitude that the regulator (and your customers) will view favourably.

To this end, many companies are already taking proactive steps to document the type of data they store, the processes they use to maintain it, and – crucially – the effectiveness of those processes.

>See also: Why GDPR is an opportunity for digital transformation in the NHS

If data suppression isn’t included, it is unlikely that your overall approach to compliance will be considered best-practice by the ICO (Information Commissioner’s Office) because it implies that the fundamentals of data cleansing are not in place.

Put simply, if the deceased are not suppressed or flagged in your customer database, it raises question marks over how stringently your records on living customers are maintained and protected.

Breach notification

One of the new obligations of the GDPR is that customers must be notified if their supplier suffers a data breach, and that this must happen without undue delay.

The notification process in itself relies entirely on the health of your database. Those that have not been maintained with sufficient rigour will pose an immediate compliance risk. Without having screened your data for goneaways, how can you be confident that notifications are reaching the intended recipients?

And quite apart from its association with identify fraud, having deceased records on a database (especially one which has been breached) will turn notification into a major headache. From next May, the only way that these firms could issue GDPR-compliant notifications would be to urgently screen data in the wake of a security breach, but this will surely lead to a lengthy delay in their response time and be frowned upon by the ICO.

>See also: One year to GDPR: guide to compliance

Most large companies in financial services, retail and the charity sectors are currently embarking on data reviews as part of their compliance preparations. For the reasons described above, data suppression should form part of this review – even if you are already screening your database.

If you have not reviewed your suppression strategy recently it is unlikely to be GDPR-compliant. Indeed one of the country’s largest insurance companies recently conducted a data suppression evaluation and found it had 100,000 undetected deceased records on its database. In the run up to GDPR enforcement, any organisation that holds customer data simply can not afford to neglect the basics of good data management.


Sourced by Simon McLaven, CEO of The Ark

Download their new whitepaper on GDPR compliance and the role of data suppression here


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics