The Ark passes rigorous independent data compliance audit by the DMA

The Ark passes rigorous independent data compliance audit by the DMA

Martin Jaggard, Managing Director of The Ark 

Oxfordshire-based data specialist – The Ark – has been accredited after passing the Data & Marketing Association (DMA) rigorous and thorough compliance audit process. Membership of the DMA is an endorsement that The Ark is a dedicated and responsible marketer.  

The Ark – which was created in 2003 – is the market-leader in helping companies of all sizes combat identity fraud and ensuring that they comply with legal regulations including GDPR. Its services include the National Deceased Register (NDR) – the country’s most accurate and reliable deceased identification file and Re-mover Goneways – which captures over 90% of all movers in the UK. 

All DMA members are subjected to a lengthy and evidence-driven process before receiving accreditation.  In the case of The Ark, it looked for evidence of its understanding of GDPR and how it was applied to the creation of identification files. It also focussed on the due diligence The Ark undertook for each data source it uses. All data companies offering PII data have to undergo this audit once every 3 years. The DMA comprises the Data and Marketing Association and the Institute of Data & Marketing (IDM) and represents over 1,000 members across the UK’s data and marketing landscape.

“The updated compliance process ensures that DMA Members continue to work to the highest standards, and that Membership remains a badge of accreditation that can be trusted in a data-driven world” commented DMA Managing Director, Rachel Aldighieri.

The Ark Managing Director, Martin Jaggard is delighted to be recognised by the DMA “Identity fraud is the UK’s fastest growing crime and with our existing products and those in development, we are in pole position to help our clients combat the threat. We are pleased that the DMA has recognised The Ark as dedicated, responsible marketers. We have worked through the COVID-19 pandemic to ensure that our clients have received faultless service and look forward to their, and indeed our continued success for the rest of this year and into the next”.

CoviDirect Mail best practice

CoviDirect Mail best practice

Simon McLaven, CEO of The Ark 

This year we have seen the shocking death toll from Coronavirus and are still witnessing its devastating effect on much of the UK economy. Everyone has been, and continues to be, affected by the pandemic. 

As we work towards the new normal, I have spoken to numerous marketing practitioners many of whom are facing a similar challenge – the need to increase direct mail activity in order to recover revenue lost during the last six months and more significantly, remain sensitive to the mood of the country. 

In the planning of a direct mail campaign, it’s important to know that mailing deceased individuals can not only lead to a costly GDPR breach; but is also one of the most frequent complaints received by the Information Commissioner. 

No one wants to cause distress through their marketing activities, particularly while the whole country is feeling vulnerable. Mailing deceased records can also damage your brand reputation and, right now, you really need to be building strong relationships. 

Today more than ever, it’s critical to make sure that mailing files contain as few deceased records as possible, preferably none. The question I frequently hear is – can I do more to stop mail arriving with a recently bereaved relative? 

Unless you are already using The Ark for deceased suppressions, the answer is almost certainly – Yes, you can do more. Here are 4 things to think about when planning your data suppression: 

1. Ensure your suppression strategy has comprehensive coverage 

You may well work for one of the many companies who license just one deceased suppression file. If so, you could unknowingly be putting your brands at risk. A single source of deceased data rarely provides the complete coverage that you need and the differences between deceased suppression files can be significant. 

Evaluations of The National Deceased Register – exclusive to The Ark – shows that more than 30% of its data, about a third of deceased individuals, do not appear in other deceased suppression file. If you’re not using The National Deceased Register, you could be at risk of mailing a significant number of deceased individuals in your database.


2. Remain in control of key decisions about your data when outsourcing 

Even if you’re outsourcing to a good data processing bureau, keep in touch with them regularly to make sure you fully understand which deceased suppression files are being used for your mailing. It is vital to stay in control of what happens to your data. The data controller is obliged to protect personal data against loss or compromise and have clear, legally ratified, agreements in place with the processor so that the processor can only act on the instructions of the controller. Clearly, abdicating responsibility for data screening or being unaware that screening is not being done properly, is contrary to GDPR and therefore contrary to the law. The cost of a data breach can be up to €20 million – about £18 million –  or 4% of annual global turnover whichever is greater. As a data controller, you can’t afford to be ignorant about data processing.


3. Don’t bypass stringent data checks and processes 

The direct mail process is losing experience and continuity in this Covid 19 era. 

Marketing teams are becoming fragmented through redundancy and furlough. As remaining staff work from home without the immediate support of experienced colleagues, attention to deceased suppression could easily fall through the net; this can be exacerbated if there is pressure to implement campaigns quickly to help businesses recover. 

Companies rushing to market while unknowingly mailing deceased individuals could see their brand reputation seriously damaged.


4. Always test your suppression strategy 

All deceased suppression files have a level of overlap, however The Ark’s file holds more than 90% of all deaths. We will work with you to provide a free evaluation of your data as part of our commitment to helping you minimize the risk of mailing deceased individuals. 

Management information gained from this type of test match will demonstrate how many deceased customer records are not being identified using your current deceased suppression, as well as showing the significant savings available. 

One of the UK’s largest insurers recently carried out such a test and found that, of its database of 22 million records, almost 100,000 individuals, flagged as live, were actually deceased. This worryingly large number had gone undetected by all the suppression files it had previously relied upon to keep its data up-to-date. 


It is so important at this time that customers can rely on their personal data being treated with respect. Mailing the deceased and upsetting newly bereaved families is a surefire way to destroy the brand loyalty and values that you have worked so hard to build. 

We at The Ark, see the bigger picture; spending a small amount of money can protect your customers’ families and protect your brand reputation.

Is poor data sabotaging your campaign performance?

Is poor data sabotaging your campaign performance?

Complacency when it comes to data suppression could be sabotaging your campaign performance and may also derail your GDPR compliance plans.

That’s the reality facing even those marketers who already use deceased and gone-away suppression services but who do not regularly evaluate their providers and put the health of their databases to the test.

Holding out-of-date records (whether knowingly or not) is a clear infringement of several key areas of GDPR, not least the basic principle of data accuracy. What’s more, you need to demonstrate compliance – and that means being able to prove the effectiveness of your suppression solution.

So what are the starting points to creating a watertight suppression strategy?

Guard against inertia

Despite the widely adopted practice of supplier switching in the consumer arena to reduce costs or improve services, there is often much resistance within businesses. This may be because the decision-makers are also responsible for implementation and it is simply easier to stick with the status quo rather than tinker with something that is deemed to be working. Sometimes there is also the perception that change would cause unnecessary upheaval to the wider IT systems in which suppression is embedded.

Whatever the reason, relying on outdated legacy suppression files will certainly result in deceased and goneaway data slipping through the net.

Your chosen suppression files should be evaluated regularly to make sure they are doing their job – reducing campaign wastage, providing the building blocks for advanced data insight and keeping you compliant.

Be rigorous in supplier management

In our experience, much of the procurement decision-making in suppression is still reliant on human judgement rather than an objective data evaluation. But GDPR (and the threat of large fines) is likely to change this.

Each organisation needs to have a structured approach to supplier evaluation, selection and review. This should be underpinned by clearly defined criteria and well communicated processes, so that you can make evidence-based decisions that will stand up to scrutiny. Indeed the evaluation in itself would provide valuable supporting evidence to the ICO that you are taking proactive steps to keep your databases as clean and compliant as possible.

Don’t put all your eggs in one basket

Every supplier of suppression data should be included in your evaluation. This is because relying on a single file rarely identifies all known deceased, and it is simply wrong to claim otherwise. Although there is a degree of overlap, each file is created from different data sources and you need to understand how they vary in terms of data provenance, verification method, speed to market and proportion of unique records.

Take the example of one of the country’s largest general and life insurers. They recently evaluated our flagship product, the National Deceased Register (NDR), and found 89,000 deceased customers that had gone undetected by the two deceased suppression files they had been relying on for decades. This clearly illustrates the risks of relying on legacy suppression files without evaluating newer entrants in the market.

Plus, suppression services are evolving with new, innovative products coming on to market so keeping on top of the latest developments will ensure you remain ahead in data strategy.

Beware ‘biggest is best’ claims

One of the most misleading selling points from data suppliers is file size. We are proud to say that a recent independent evaluation of the main files on the market revealed the NDR as having the highest proportion of unique records despite being the smallest file.

So why does file size vary so dramatically? Some include records that date back to the mid-1980s, whereas we have chosen only to include deaths notified from the turn of the century. It is our view that older data is redundant because any organisation that has licensed suppression files in the past will already have flagged or deleted these customers. Also, some files are inflated by the inclusion of individuals who are thought to have died but where further verification is necessary. We stringently check our data and filter out those that remain unconfirmed.

Marketers and GDPR – Heads in the sand?   

Marketers and GDPR – Heads in the sand?  

Simon McLaven, CEO of The Ark 

We have all read the plethora of statistics that point to the country’s lack of preparedness for GDPR. Yet speaking to many data managers, CIOs and compliance officers over the last few months, I do not believe that this corporate inertia is simply a matter of marketers burying their heads in the sand.  There is a growing feeling that all levels of the organisation – from backroom to boardroom – remain genuinely unclear about certain aspects of the Regulation, especially the issue of consent, and that this confusion is paralysing compliance efforts.

Sadly, firms are being deterred from progressing with the necessary overhaul of their strategies and systems due to the dearth of detailed guidance on the practicalities of GDPR implementation. The DMA Group has recently added their voice to calls for greater clarification – from the ICO in particular – to bring an end to this state of limbo. The RNLI case – where a database repermissioning project from last year may fall foul of newer guidelines – will cause increasing frustration among marketers (and rightly so) because it penalises what should be a laudable, best-practice example of proactivity. This type of publicity sends out all the wrong messages, actively discouraging organisations from giving the green light to their plans for fear of having to go over the same ground twice. Let’s hope that common sense prevails.

Put simply, the ongoing uncertainty is no excuse for delaying all GDPR preparations. In fact, waiting for guidance about the opt-in model could mean losing valuable time in the race to shape up for one of the most basic elements of compliance – data quality. The overarching principle of data accuracy is enshrined in the Regulation in crystal clear terms: Chapter II, Article 5 (1d) states that personal data must be kept accurate and up-to-date, and that “every reasonable step” must be taken to make sure that inaccuracies are “erased or rectified without delay.”

This means that databases must be maintained to the highest possible standards which includes suppressing or updating the records of deceased or goneaway customers. This is an area in which many companies have become complacent, believing that the legacy suppression files they have relied upon for years will do the job. It’s a risky assumption – and at worst could lead to a technical breach of GDPR with its hefty financial penalties. Aside from the commercial benefits to be gained by boosting the accuracy of customer data, it is also worth bearing in mind that healthy databases will be the cornerstone of any repermissioning exercise.  With the costs of customer acquisition set to rise in the GDPR era, now is not the time to lose track of valuable, opted-in customers when they move home.

The clock is ticking and companies that push ahead with their preparations now – especially in the fundamentals of database management – will reduce the likelihood of being thrust into a reputation-damaging, last-minute compliance panic as the enforcement date looms.


New whitepaper gives lowdown on your GDPR suppression obligations and opportunities

New whitepaper gives lowdown on your GDPR suppression obligations and opportunities

We’ve just published a new whitepaper in conjunction with DataIQ to help steer your GDPR preparations, including a detailed suppression strategy checklist.

We are delighted to offer you a free-of-charge, independently written whitepaper that gives you the lowdown on the role of data suppression in GDPR compliance, including a detailed suppression strategy checklist to get your preparations on the right track.

The GDPR will be enforced from May 2018 with data accuracy as one of its core principles. It requires that organisations keep customers’ personal information up-to-date and that any inaccuracies be corrected or deleted as quickly as possible. Suppressing the records of deceased customers and updating those of home-movers are inherent obligations, and failure to do so could incur a fine of 2% of global turnover.

Our CEO, Simon McLaven, comments: “Many marketers are occupied with the high-profile elements of the GDPR such as consent and privacy, but they should not overlook the fundamentals of data accuracy. Poor quality databases have long been the bane of marketing but now they could put you on the wrong side of the law.

“Under the GDPR, all types of marketers – including digital and B2B – need to screen their data using suppression files. In our experience, many companies think that they have suppression covered but usually they lack insight into its performance and may well find that their strategy isn’t actually GDPR-compliant.”

Our new whitepaper examines the Regulation in detail and illustrates how you can use suppression files to adhere to the GDPR but also to deliver tangible commercial payback, for instance by improving your campaign performance, reducing costs, boosting customer engagement and protecting brand reputation.

The whitepaper is free to download here.



Why returned mail won’t cut it as a suppression strategy under the GDPR

Why returned mail won’t cut it as a suppression strategy under the GDPR

At the beginning of March the Information Commissioner’s Office (ICO) published its draft consent guidance for the General Data Protection Regulation (GDPR) which could have far-reaching consequences for UK businesses.

Without the ‘right’ consent in place many businesses may struggle to legitimately send marketing campaigns to their customers and may be required to re-permission their entire customer database. There has been much discussion about the significant impact these changes will have on a business’s ability to engage with their customers and generate revenue from their marketing campaigns. But the change also creates an additional unintended consequence when it comes to data suppression.

Smaller campaign volumes result in a reduction in the amount of returned mail. Many businesses, especially in the banking sector, rely on deceased and gone away notifications from these returns to keep their data up to date and accurate. Without this source of data, they will need to find alternative ways – such as using external suppression files – to keep their databases accurate and compliant.

GDPR is a legal requirement. Failure to comply with the Regulation’s requirements carries the risk of severe financial penalties. The Regulation states that personal information must be kept up-to-date and accurate. Any inaccuracies must be corrected or erased as quickly as possible and personal information should not be kept for longer than the purpose for which it was originally acquired. Deceased data that no longer serves any purpose should therefore be suppressed (if there is no purpose for keeping those deceased records on file). Failure to do so is a clear technical breach of the Regulation.

What’s more, a new requirement of GDPR is breach notification: the ability to notify individuals in the event that data has been lost or stolen. Notification needs to take place without undue delay and only those living persons at risk should be identified. If a business has not suppressed or flagged the deceased in its customer database, it will clearly not be able to meet this requirement. Suppressing in the wake of a data breach is the wrong time to take action.

Failure to put the right processes in place to ensure data remains accurate and up to date could represent a technical breach of the Regulation and incur a financial penalty to the tune of 2 per cent of global group turnover, or €10 million. It is therefore crucial that businesses – particularly those that still rely heavily on returned mail to keep their databases up to date – include suppression within their wider data review as they prepare for May 2018.