DataIQ recently teamed up with Cygnus Embedded Suppression contributor, The Ark to produce a Whitepaper discussing data suppression and GDPR. The Whitepaper puts forth the message that deceased suppression will effectively become a legal requirement come May 2018 when GDPR comes into force.
While both the legislation itself and the guidelines from ICO don’t go quite so far as naming deceased suppression as a legal obligation to achieve compliance, DataIQ make the argument that failing to undertake deceased suppression increases the likelihood of a technical breach. Falling foul of the ICO for a technical breach can cost organisations as much as 2% of group turnover (find out more about GDPR here). So how do Suppression files help organisations achieve compliance with GDPR? The Whitepaper offers 3 primary reasons;
Reason 1 – Accuracy
A data controller cannot claim to be adhering to the policy of keeping personal data up to date if there are significant levels of the deceased within the data set. Similarly GDPR compels controllers to keep personal data only for the time and purpose it was originally acquired. Given there is no effective use of deceased records, the time and purpose claim cannot be made either.
Reason 2 – Demonstrating Compliance
Use of deceased suppression files demonstrates to regulators the attempts to achieve compliance. Data controllers can document the use of suppression files and provide evidence of systematic screening and removal of deceased records which are inherently non-compliant.
Reason 3 – Breach Notification
GDPR contains new obligations to report data breaches to those living persons effected by the breach. DataIQ make the case for regular deceased suppression being a pre-requisite to ensure compliant breach reporting. By sending breach notifications to the dead, the notification itself is non-compliant and could derive further scrutiny and potential fines from the regulator.
Data and Suppression Strategy Review
The Whitepaper provides a 22-point checklist to help organisations undertake a data and suppression strategy review. In keeping with ICO guidance the checklist is a great starting point for data controllers to make sure they are on the right path to compliance with GDPR. Understanding what type of data is held, where it is located, how sensitive it is and the nature of the permission gained is key. Only then can an organisation consider if the policies and processes governing the use of that data are fit for purpose under GDPR.
Suppression provider selection can be a sensitive subject with each of the providers claiming unique benefits of their file over others. Some organisations choose to work with a single vendor to suppress deceased or goneaway data. Other organisations especially those serving multiple clients and use cases such as mailing houses and data bureaux often find it beneficial to retain a range of suppression files. Download the Complete guide to Suppression and Trace from The Software Bureau to find out more about the differences between the most widely used suppression and home mover data available.
Cygnus and GDPR
The Software Bureau has embedded a portfolio of 19 suppression and home mover files providing more than 500 million records in its flagship data processing software Cygnus. This portfolio approach provides organisations with the ability to combine and tweak their data suppression and home mover processing over time as needs change. What’s more Cygnus contains a wealth of additional data hygiene and processing tools to help users implement data processing tasks required to achieve compliance with GDPR. Removing out of date records, consolidating disparate data files and suppressing un-permissioned data are just a few examples where Cygnus could be used to manage GDPR compliance. Register for an online demo of Cygnus to see the suite of tools can help your organisation become compliant with GDPR.