Complacency when it comes to data suppression could be sabotaging your campaign performance and may also derail your GDPR compliance plans.
That’s the reality facing even those marketers who already use deceased and gone-away suppression services but who do not regularly evaluate their providers and put the health of their databases to the test.
Holding out-of-date records (whether knowingly or not) is a clear infringement of several key areas of GDPR, not least the basic principle of data accuracy. What’s more, you need to demonstrate compliance – and that means being able to prove the effectiveness of your suppression solution.
So what are the starting points to creating a watertight suppression strategy?
Guard against inertia
Despite the widely adopted practice of supplier switching in the consumer arena to reduce costs or improve services, there is often much resistance within businesses. This may be because the decision-makers are also responsible for implementation and it is simply easier to stick with the status quo rather than tinker with something that is deemed to be working. Sometimes there is also the perception that change would cause unnecessary upheaval to the wider IT systems in which suppression is embedded.
Whatever the reason, relying on outdated legacy suppression files will certainly result in deceased and goneaway data slipping through the net.
Your chosen suppression files should be evaluated regularly to make sure they are doing their job – reducing campaign wastage, providing the building blocks for advanced data insight and keeping you compliant.
Be rigorous in supplier management
In our experience, much of the procurement decision-making in suppression is still reliant on human judgement rather than an objective data evaluation. But GDPR (and the threat of large fines) is likely to change this.
Each organisation needs to have a structured approach to supplier evaluation, selection and review. This should be underpinned by clearly defined criteria and well communicated processes, so that you can make evidence-based decisions that will stand up to scrutiny. Indeed the evaluation in itself would provide valuable supporting evidence to the ICO that you are taking proactive steps to keep your databases as clean and compliant as possible.
Don’t put all your eggs in one basket
Every supplier of suppression data should be included in your evaluation. This is because relying on a single file rarely identifies all known deceased, and it is simply wrong to claim otherwise. Although there is a degree of overlap, each file is created from different data sources and you need to understand how they vary in terms of data provenance, verification method, speed to market and proportion of unique records.
Take the example of one of the country’s largest general and life insurers. They recently evaluated our flagship product, the National Deceased Register (NDR), and found 89,000 deceased customers that had gone undetected by the two deceased suppression files they had been relying on for decades. This clearly illustrates the risks of relying on legacy suppression files without evaluating newer entrants in the market.
Plus, suppression services are evolving with new, innovative products coming on to market so keeping on top of the latest developments will ensure you remain ahead in data strategy.
Beware ‘biggest is best’ claims
One of the most misleading selling points from data suppliers is file size. We are proud to say that a recent independent evaluation of the main files on the market revealed the NDR as having the highest proportion of unique records despite being the smallest file.
So why does file size vary so dramatically? Some include records that date back to the mid-1980s, whereas we have chosen only to include deaths notified from the turn of the century. It is our view that older data is redundant because any organisation that has licensed suppression files in the past will already have flagged or deleted these customers. Also, some files are inflated by the inclusion of individuals who are thought to have died but where further verification is necessary. We stringently check our data and filter out those that remain unconfirmed.
If you would like to evaluate your data simply download our free evaluation tool here. You can download our new whitepaper on GDPR compliance and the role of data suppression here.
Simon McLaven, CEO of The Ark
We have all read the plethora of statistics that point to the country’s lack of preparedness for GDPR. Yet speaking to many data managers, CIOs and compliance officers over the last few months, I do not believe that this corporate inertia is simply a matter of marketers burying their heads in the sand. There is a growing feeling that all levels of the organisation – from backroom to boardroom – remain genuinely unclear about certain aspects of the Regulation, especially the issue of consent, and that this confusion is paralysing compliance efforts.
Sadly, firms are being deterred from progressing with the necessary overhaul of their strategies and systems due to the dearth of detailed guidance on the practicalities of GDPR implementation. The DMA Group has recently added their voice to calls for greater clarification – from the ICO in particular – to bring an end to this state of limbo. The RNLI case – where a database repermissioning project from last year may fall foul of newer guidelines – will cause increasing frustration among marketers (and rightly so) because it penalises what should be a laudable, best-practice example of proactivity. This type of publicity sends out all the wrong messages, actively discouraging organisations from giving the green light to their plans for fear of having to go over the same ground twice. Let’s hope that common sense prevails.
Put simply, the ongoing uncertainty is no excuse for delaying all GDPR preparations. In fact, waiting for guidance about the opt-in model could mean losing valuable time in the race to shape up for one of the most basic elements of compliance – data quality. The overarching principle of data accuracy is enshrined in the Regulation in crystal clear terms: Chapter II, Article 5 (1d) states that personal data must be kept accurate and up-to-date, and that “every reasonable step” must be taken to make sure that inaccuracies are “erased or rectified without delay.”
This means that databases must be maintained to the highest possible standards which includes suppressing or updating the records of deceased or goneaway customers. This is an area in which many companies have become complacent, believing that the legacy suppression files they have relied upon for years will do the job. It’s a risky assumption – and at worst could lead to a technical breach of GDPR with its hefty financial penalties. Aside from the commercial benefits to be gained by boosting the accuracy of customer data, it is also worth bearing in mind that healthy databases will be the cornerstone of any repermissioning exercise. With the costs of customer acquisition set to rise in the GDPR era, now is not the time to lose track of valuable, opted-in customers when they move home.
The clock is ticking and companies that push ahead with their preparations now – especially in the fundamentals of database management – will reduce the likelihood of being thrust into a reputation-damaging, last-minute compliance panic as the enforcement date looms.
We’ve just published a new whitepaper in conjunction with DataIQ to help steer your GDPR preparations, including a detailed suppression strategy checklist.
We are delighted to offer you a free-of-charge, independently written whitepaper that gives you the lowdown on the role of data suppression in GDPR compliance, including a detailed suppression strategy checklist to get your preparations on the right track.
The GDPR will be enforced from May 2018 with data accuracy as one of its core principles. It requires that organisations keep customers’ personal information up-to-date and that any inaccuracies be corrected or deleted as quickly as possible. Suppressing the records of deceased customers and updating those of home-movers are inherent obligations, and failure to do so could incur a fine of 2% of global turnover.
Our CEO, Simon McLaven, comments: “Many marketers are occupied with the high-profile elements of the GDPR such as consent and privacy, but they should not overlook the fundamentals of data accuracy. Poor quality databases have long been the bane of marketing but now they could put you on the wrong side of the law.
“Under the GDPR, all types of marketers – including digital and B2B – need to screen their data using suppression files. In our experience, many companies think that they have suppression covered but usually they lack insight into its performance and may well find that their strategy isn’t actually GDPR-compliant.”
Our new whitepaper examines the Regulation in detail and illustrates how you can use suppression files to adhere to the GDPR but also to deliver tangible commercial payback, for instance by improving your campaign performance, reducing costs, boosting customer engagement and protecting brand reputation.
The whitepaper is free to download here.
At the beginning of March the Information Commissioner’s Office (ICO) published its draft consent guidance for the General Data Protection Regulation (GDPR) which could have far-reaching consequences for UK businesses.
Without the ‘right’ consent in place many businesses may struggle to legitimately send marketing campaigns to their customers and may be required to re-permission their entire customer database. There has been much discussion about the significant impact these changes will have on a business’s ability to engage with their customers and generate revenue from their marketing campaigns. But the change also creates an additional unintended consequence when it comes to data suppression.
Smaller campaign volumes result in a reduction in the amount of returned mail. Many businesses, especially in the banking sector, rely on deceased and gone away notifications from these returns to keep their data up to date and accurate. Without this source of data, they will need to find alternative ways – such as using external suppression files – to keep their databases accurate and compliant.
GDPR is a legal requirement. Failure to comply with the Regulation’s requirements carries the risk of severe financial penalties. The Regulation states that personal information must be kept up-to-date and accurate. Any inaccuracies must be corrected or erased as quickly as possible and personal information should not be kept for longer than the purpose for which it was originally acquired. Deceased data that no longer serves any purpose should therefore be suppressed (if there is no purpose for keeping those deceased records on file). Failure to do so is a clear technical breach of the Regulation.
What’s more, a new requirement of GDPR is breach notification: the ability to notify individuals in the event that data has been lost or stolen. Notification needs to take place without undue delay and only those living persons at risk should be identified. If a business has not suppressed or flagged the deceased in its customer database, it will clearly not be able to meet this requirement. Suppressing in the wake of a data breach is the wrong time to take action.
Failure to put the right processes in place to ensure data remains accurate and up to date could represent a technical breach of the Regulation and incur a financial penalty to the tune of 2 per cent of global group turnover, or €10 million. It is therefore crucial that businesses – particularly those that still rely heavily on returned mail to keep their databases up to date – include suppression within their wider data review as they prepare for May 2018.
If you regularly screen your data using a deceased suppression file you would expect to have clean and accurate data. However, you may be surprised to discover you could still have significant numbers of deceased customers in your database, leaving you at risk of non-compliance.
Unfortunately, it’s a common problem. Misconceptions about suppression files mean many data managers are completely unaware that solutions they have been using for years are failing to suppress all their deceased data. What’s more, because they believe they’re working the problem often goes undiscovered for many years.
Over time this results in large numbers of undetected deceased records and inaccurate non-compliant data. With GDPR being implemented since May 2016 the consequences could be serious and far reaching. So how can companies make sure their strategy doesn’t fall short of the standards required?
Here, we dispel some common misconceptions and offer guidance on what every data manager needs to know about deceased suppression.
You don’t need to evaluate your deceased suppression strategy
Firstly, keeping personal data accurate and up-to-date, and deleting or rectifying inaccurate data, is a compliance requirement, not a nice to have. A lack of awareness of how your suppression strategy is performing is unlikely to be accepted as an adequate excuse for holding inaccurate data. For more information on the rules and standards set out by GDPR download the ICO’s overview.
Secondly, the suppression market has evolved, products have changed. If you’ve been using the same file for several years it may contain very different data today, then when it was first licensed. And that may mean it’s no longer effectively removing your deceased customer data.
We recommend you evaluate your strategy at least once every three years. It’s a simple process and provides assurance that your solution is still fit for purpose and remains compliant.
If you use a bureau to manage your data suppression most will be happy to audit your data free of charge, and share the results so any ‘gaps’ in strategy can be addressed.
KEY TAKE-OUT: Evaluate your suppression strategy at least once every three years to ensure it’s working effectively and your data remains compliant. When using a bureau, make sure you understand any suppression strategy decisions they make on your behalf and the reasons for making them. Question them if you don’t understand as it’s your responsibility to explain your data suppression strategy under GDPR.
If you are using a deceased suppression file your customer data is compliant
Whilst this may be true, the only way to be certain is to evaluate all the suppression files in the market and implement a solution that is accurately removing all your deceased data. There are two important questions to ask:
- Is your solution removing all your deceased data?
Are you certain that the solution you are using is the ‘right’ one for your data? It’s important to understand how each of the market suppression files performs before deciding. Relying on a single suppression file rarely identifies all known deceased.
- Can you trust that the data is accurate and reliable?
Does the suppression data have a strong provenance? You need to understand how the data is sourced and verified: How many sources and types of data have been used to create the file? How have they been collected? Is the data derived or volunteered? How has the data been verified? Verification is critical; if an individual is identified as deceased across several independent data sources it corroborates accuracy. Volunteered data is rarely as accurate as data captured as the result of a transaction (a policy being cashed-in or cancelled for example).
KEY TAKE-OUT: Evaluate to ensure your solution is removing all your deceased customer records. Always check how the suppression data has been sourced and verified. Data that reaches the market quickly has a commercial advantage – the process of verification takes time – so always check the suppression data you license has undergone stringent checks.
All deceased suppression files are the same
Although it’s true that all the suppression files on the market have a level of overlap, they contain different data sources that have been collected and verified in different ways. Each file will contain ‘unique data’ that will never be found on any other file. And if those unique customers happen to be in your database, but not in your suppression file, your customer data will remain inaccurate.
One of the UK’s largest insurers recently evaluated all the leading market deceased suppression files and found their database contained over 89,000 deceased customers. This worryingly large number had gone undetected by all the suppression files they previously relied upon to keep their data clean.
Also, don’t be fooled into thinking that the overall size of a deceased suppression file is all that matters. It’s important to audit how many deceased records each file identifies on your own customer data and how recent those deceased records are. Biggest isn’t always better.
KEY TAKE-OUT: The overall size of a deceased suppression file isn’t all that matters. Unique data is an important factor to consider when choosing a suppression file; those deceased customers may be sitting in your database.
You only need one deceased suppression file
This is a rather bold marketing claim and one that we don’t feel is justified. Even though our deceased suppression file contains at least 30% unique data when compared to the other two market leading files, saying you only need to rely on one file alone is certainly not a claim that we would make. The only way to be sure you have the right file(s) is to evaluate all the options and choose the combination that performs best for your business.
KEY TAKE-OUT: Always evaluate suppression files to choose the optimal blend of files, you won’t achieve adequate coverage and protection with just one file.
With the introduction of GDPR in May 2016, there’s never been a more important time to make suppression a priority. With so many common misconceptions about data suppression leading to inadequate solution choices, it’s imperative that data managers evaluate all the available options and base their file selection on fact. It’s the only way to be sure that the solutions they chose deliver reliable and accurate results and help them to achieve compliance with GDPR
With the looming introduction of the EU General Data Protection Regulation in 2018 there has never been a better time for marketers to improve their practices and work towards the industry standards by which all direct marketers will have to conduct business. GDPR represents the most significant overhaul of Data Protection legislation for over 25 years, it will require many organisations to completely reengineer core processes to become GDPR ready.
In this brave new world marketers will require opted-in permission from consumers to market to them and the old opt-out model will no longer apply. Penalties include staggering fines of up to up to 4% of global turnover.
The new opt-in permissions are likely to have a large impact on new customer acquisition as traditional data sources decrease in size and become costlier and legally complex. Maintaining permission to market to your existing customers will therefore be critical, as will retaining opt-in permission from multiple channels and keeping track of your customers as they move home to avoid diminishing returns from a continually shrinking database.
If a customer, who has previously opted in to receive postal communications, moves house and does not inform those companies who were sending mail, can that record still be considered as a strong opt-in? What steps can marketers take to ensure their campaign material still reaches the intended recipient? If the marketers can obtain the new address of an opted in customer then this can still be considered as a strong opt-in under current regulations, and there are existing products to provide marketers with this data. Using these products will reduce the proportion of direct mail that does not reach the customer, and improve the health of the database. It also increases the value of the database, as details are correct and up to date.
Using a goneaway suppression file such as Re-mover ensures that direct mail campaigns are not sent to addresses that an opted in customer has left, lowering the potential incidence of identity fraud. These actions lead to better compliance with data protection regulations and improve the reputation and image of the originating company as well as the direct mail sector over all. Re-mover is up to date with over 90% of house moves in the UK, 65% of which happen within the previous 30 days, making it the most current and reliable goneaway suppression file available.
Similarly, the National Deceased Register is equally current and provides reliable and accurate data on the recently deceased; it is most often cases of companies mailing people that have been dead for years that make the national press and contribute to the negative image of the direct mail sector, so with up-to-date suppression files available there is no excuse for marketers to bypass best practices. Ignoring the issues of identity fraud and crime that have been associated with credit and loan applications sent to those who are deceased or who have moved only furthers the impression that direct mailing companies are irresponsible and contravenes the incoming GDPR regulations with regard to an individual’s right to data rectification.
Suppression files notwithstanding, there has never been a more pressing time for businesses to look at their opt-in policies for marketing communications, and to ensure that any data processors they outsource to also adhere rigorously to the same standards. The pursuit of industry-wide compliance with opt-in policies, data protection regulations and the rules governing the processing and sale of personal information provided by customers is a journey that must be started very soon. Some companies will have more work to do in this area than others, and should commence the process of database maintenance as soon as possible. Ark Data are leading the way in accurate data suppression files that enable direct mailing contractors and companies managing large customer databases to meet the standards that the public deserve.