Why returned mail won’t cut it as a suppression strategy under the GDPR

Why returned mail won’t cut it as a suppression strategy under the GDPR

At the beginning of March the Information Commissioner’s Office (ICO) published its draft consent guidance for the General Data Protection Regulation (GDPR) which could have far-reaching consequences for UK businesses.

Without the ‘right’ consent in place many businesses may struggle to legitimately send marketing campaigns to their customers and may be required to re-permission their entire customer database. There has been much discussion about the significant impact these changes will have on a business’s ability to engage with their customers and generate revenue from their marketing campaigns. But the change also creates an additional unintended consequence when it comes to data suppression.

Smaller campaign volumes result in a reduction in the amount of returned mail. Many businesses, especially in the banking sector, rely on deceased and gone away notifications from these returns to keep their data up to date and accurate. Without this source of data, they will need to find alternative ways – such as using external suppression files – to keep their databases accurate and compliant.

GDPR is a legal requirement. Failure to comply with the Regulation’s requirements carries the risk of severe financial penalties. The Regulation states that personal information must be kept up-to-date and accurate. Any inaccuracies must be corrected or erased as quickly as possible and personal information should not be kept for longer than the purpose for which it was originally acquired. Deceased data that no longer serves any purpose should therefore be suppressed (if there is no purpose for keeping those deceased records on file). Failure to do so is a clear technical breach of the Regulation.

What’s more, a new requirement of GDPR is breach notification: the ability to notify individuals in the event that data has been lost or stolen. Notification needs to take place without undue delay and only those living persons at risk should be identified. If a business has not suppressed or flagged the deceased in its customer database, it will clearly not be able to meet this requirement. Suppressing in the wake of a data breach is the wrong time to take action.

Failure to put the right processes in place to ensure data remains accurate and up to date could represent a technical breach of the Regulation and incur a financial penalty to the tune of 2 per cent of global group turnover, or €10 million. It is therefore crucial that businesses – particularly those that still rely heavily on returned mail to keep their databases up to date – include suppression within their wider data review as they prepare for May 2018.


Is your deceased suppression strategy GDPR compliant?

Is your deceased suppression strategy GDPR compliant?

If you regularly screen your data using a deceased suppression file you would expect to have clean and accurate data. However, you may be surprised to discover you could still have significant numbers of deceased customers in your database, leaving you at risk of non-compliance.

Unfortunately, it’s a common problem. Misconceptions about suppression files mean many data managers are completely unaware that solutions they have been using for years are failing to suppress all their deceased data. What’s more, because they believe they’re working the problem often goes undiscovered for many years.

Over time this results in large numbers of undetected deceased records and inaccurate non-compliant data. With GDPR being implemented since May 2016 the consequences could be serious and far reaching. So how can companies make sure their strategy doesn’t fall short of the standards required?

Here, we dispel some common misconceptions and offer guidance on what every data manager needs to know about deceased suppression.

You don’t need to evaluate your deceased suppression strategy

You do.

Firstly, keeping personal data accurate and up-to-date, and deleting or rectifying inaccurate data, is a compliance requirement, not a nice to have. A lack of awareness of how your suppression strategy is performing is unlikely to be accepted as an adequate excuse for holding inaccurate data. For more information on the rules and standards set out by GDPR download the ICO’s overview.

Secondly, the suppression market has evolved, products have changed. If you’ve been using the same file for several years it may contain very different data today, then when it was first licensed. And that may mean it’s no longer effectively removing your deceased customer data.

We recommend you evaluate your strategy at least once every three years. It’s a simple process and provides assurance that your solution is still fit for purpose and remains compliant.

If you use a bureau to manage your data suppression most will be happy to audit your data free of charge, and share the results so any ‘gaps’ in strategy can be addressed.

KEY TAKE-OUT: Evaluate your suppression strategy at least once every three years to ensure it’s working effectively and your data remains compliant. When using a bureau, make sure you understand any suppression strategy decisions they make on your behalf and the reasons for making them.  Question them if you don’t understand as it’s your responsibility to explain your data suppression strategy under GDPR.


If you are using a deceased suppression file your customer data is compliant

Whilst this may be true, the only way to be certain is to evaluate all the suppression files in the market and implement a solution that is accurately removing all your deceased data. There are two important questions to ask:

  1. Is your solution removing all your deceased data?
    Are you certain that the solution you are using is the ‘right’ one for your data? It’s important to understand how each of the market suppression files performs before deciding.  Relying on a single suppression file rarely identifies all known deceased.
  1. Can you trust that the data is accurate and reliable?
    Does the suppression data have a strong provenance? You need to understand how the data is sourced and verified: How many sources and types of data have been used to create the file? How have they been collected? Is the data derived or volunteered?  How has the data been verified? Verification is critical; if an individual is identified as deceased across several independent data sources it corroborates accuracy.  Volunteered data is rarely as accurate as data captured as the result of a transaction (a policy being cashed-in or cancelled for example).

KEY TAKE-OUT: Evaluate to ensure your solution is removing all your deceased customer records. Always check how the suppression data has been sourced and verified. Data that reaches the market quickly has a commercial advantage – the process of verification takes time – so always check the suppression data you license has undergone stringent checks.


All deceased suppression files are the same

They’re not.

Although it’s true that all the suppression files on the market have a level of overlap, they contain different data sources that have been collected and verified in different ways. Each file will contain ‘unique data’ that will never be found on any other file. And if those unique customers happen to be in your database, but not in your suppression file, your customer data will remain inaccurate.

One of the UK’s largest insurers recently evaluated all the leading market deceased suppression files and found their database contained over 89,000 deceased customers. This worryingly large number had gone undetected by all the suppression files they previously relied upon to keep their data clean.

Also, don’t be fooled into thinking that the overall size of a deceased suppression file is all that matters.  It’s important to audit how many deceased records each file identifies on your own customer data and how recent those deceased records are. Biggest isn’t always better.

KEY TAKE-OUT: The overall size of a deceased suppression file isn’t all that matters. Unique data is an important factor to consider when choosing a suppression file; those deceased customers may be sitting in your database.


You only need one deceased suppression file

This is a rather bold marketing claim and one that we don’t feel is justified. Even though our deceased suppression file contains at least 30% unique data when compared to the other two market leading files, saying you only need to rely on one file alone is certainly not a claim that we would make.  The only way to be sure you have the right file(s) is to evaluate all the options and choose the combination that performs best for your business.

KEY TAKE-OUT: Always evaluate suppression files to choose the optimal blend of files, you won’t achieve adequate coverage and protection with just one file.

With the introduction of GDPR in May 2016, there’s never been a more important time to make suppression a priority. With so many common misconceptions about data suppression leading to inadequate solution choices, it’s imperative that data managers evaluate all the available options and base their file selection on fact. It’s the only way to be sure that the solutions they chose deliver reliable and accurate results and help them to achieve compliance with GDPR

How reusing your password could result in identity theft

How reusing your password could result in identity theft

A growing number of companies are disclosing data breaches that involve large amounts of stolen user credentials data such as emails and passwords. The companies involved are quick to reassure customers that the stolen data does not include account or financial details and that passwords are obscured. However, consumers who use weak passwords and reuse the same ones across multiple websites are more vulnerable to hacker attacks and could end up the victim of identity theft.  With two out of every three data breaches involving some use of stolen or misused user credentials the risks really shouldn’t be ignored.

How safe is your data?

Whilst it’s true that most passwords on websites are typically obscured this does not mean they are impenetrable.  Most passwords are obscured using a method called Hashing or Salting; Hashing converts passwords into a fixed number of random characters while Salting adds a secret value to the end. Whilst both methods make it difficult for hackers to decipher the password, given enough time it may be possible, especially if the password uses a simple format and structure.

User names, emails, and passwords also provide hackers with the data they need to carry out credentials stuffing attacks where data is integrated into software that automatically attempts email/password combinations and hacks into different websites. Where people use the same usernames and passwords across multiple sites it becomes easy for the software to crack the combination. Hackers can then steal additional personal information including financial details or change a user’s login and take control of their account.

Several UK businesses have recently become victims of credentials stuffing attacks including Camelot, where data from previous breaches was used to access UK National Lottery accounts and online takeaway firm Deliveroo, where the attack resulted in customers being charged for food they didn’t order.

How your data can be used to commit identity theft

Once an account has been hacked stolen personal data is often sold on the Dark Web. Both personally identifiable information, the most stolen data type, and financial data can be purchased by criminals and used to commit identity theft, the fastest growing crime in the UK. According to Fraudscape’s 2016 report, Identity theft accounts for 53% of all frauds in the UK and 86% are committed online. This type of fraud uses real consumer data rather than fictitious names and addresses and is therefore very difficult to detect. Criminals also hack and sell on deceased individual’s data which is particularly valuable as identity theft committed using a deceased person’s information usually goes undetected for longer. Organizations can help combat deceased identity theft by using a detection service such as The Ark’s National Deceased Register Monitor which blocks fraudulent applications and helps prevent these crimes.

What can consumers do to help protect their personal data?

  • Always use strong/complex passwords with symbols, numbers, and capitals
  • Never share passwords across multiple websites
  • Change passwords regularly; anyone using a password that is several years old should change it as soon as possible
  • Use a password manager

Remembering a strong password is difficult, and doing this for every website just about impossible, so we advise using one of the many password management tools available. The tool should be installed and all passwords changed so that every single one is different, long, and hard to crack. They provide a simple and safe way to keep track of multiple passwords and help consumers avoid becoming an easy target for hackers.

Whilst it’s true that stolen credentials are lower risk than financial information, they can result in serious consequences, especially for consumers who reuse their passwords.

For more information on the prevention of identity theft visit the cifas website https://www.cifas.org.uk/identity_fraud

View the CIFAS Fraudscape report here https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf

Identity fraud victim’s £500k home put on market

Identity fraud victim’s £500k home put on market

A gang has been identified and two men jailed after being found guilty of committing identity fraud. The victim, Minh To of Stockport, Greater Manchester was targeted by criminals who transferred the deeds of his £500,000 five-bedroom home and attempted to auction his property.

The fraudsters targeted Mr To’s mail and stole utility bills. They then forged his signature and transferred the deeds of his home falsifying the documentation required to auction his property. Mr To was alerted to the deception by his daughter who saw his home on Rightmove for sale just three days before the auction was due to commence.

This case further highlights the risks of fraudsters intercepting mail and using it to commit identity fraud; one of the fastest growing crimes which is estimated to cost the UK approximately £5.4 billion per year.*

Criminals often target mail as it can contain lots of personal information. The most obvious of these being financial details such as bank statements and credit and debit cards. Unfortunately, consumers are often less aware of the risk of other mail, much of which still contains a wealth of information that fraudsters can put to good use.

How to avoid being the victim of identify fraud

The safest way to avoid being targeted is to ensure that all mail is safe. If a consumer moves home, they should change their address with all organisations that send them mail as soon as possible to ensure it doesn’t end up in the wrong hands. Unfortunately, we know that this doesn’t happen in practice and many people simply forget to tell everyone. In fact, research shows that when asked to rank the organisations that people would tell when they were moving house respondents categorised just five types as ‘essential to inform’.

Typically, the top tier was advised of a new address within three weeks of a move. Important organisations were told within two months and non-essential organisations (including many heavy direct markers such as retail, charity, and entertainment) were not told at all.

We always advise our clients sending mail to screen their data against goneaway and deceased suppressions to help to minimise the impact of mail not reaching the intended recipient. It’s not enough to rely on consumers updating their personal details. With ‘potential opportunities for fraud’ to add to the long list of reasons to screen data, it’s easy to see why it’s a no brainer for any responsible marketer.

* Source – Annual Fraud Indicator 2016, PKF & Experian.

Hiscox award winning campaign leads the way in mail innovation

Hiscox award winning campaign leads the way in mail innovation

This week sees the announcement of the winners of the DMA annual awards where Hiscox in conjunction with WDMP has picked up Silver for their best use of mail.

Why we love this campaign

The Ark team really love this campaign; it’s refreshing to see such a highly-targeted use of mail clearly demonstrating its value in the marketing mix. A successful direct mail campaign relies on accurate data, excellent targeting, innovative design and a great campaign strategy; the Hiscox campaign has it all.

Why did Hiscox choice responsive mail?

Hiscox chose responsive mail to reduce the reliance on less effective PPC channels. Their objective was to create standout in a highly cluttered market driving direct quotes. Mail was the perfect choice for this strategy as it enabled Hiscox to deliver a highly targeted, creative campaign to their target audience of high-net worth households. Clever use of in-market insurance data was correlated against a UK wide file using household income and property type/value as well as insight derived from their known insurance premiums to ensure the targeting was as precise as possible improving relevancy for the recipient. The challenge was to target these individuals and highlight that their current insurance cover may not be providing the level of protection they need, leaving them underinsured.

Listening to customer calls helped Hiscox identify a common oversight; customers would remember to insure large ticket items such as jewellery, watches and antiques but would overlook the day-to-day. This insight helped drive the creative strategy and messaging ‘are all the things you love covered’. The creative used an antique wardrobe which opened to reveal a number of designer items that may not be covered by other insurers.

The end result

The campaign was highly successful and delivered Hiscox their most successful month ever. This clever use of mail clearly demonstrates that insight driven targeting and use of data combined with compelling creative creates a highly successful mail campaign. It’s great to see brands like Hiscox leading the way in mail innovation, well done guys, such a beautifully executed campaign and well deserving of this award. See full details on the award winners here.