The introduction in the General Data Protection Regulation (GDPR) of a methodology for implementing an individual’s Right to be Forgotten isn’t to be confused with personal information being completely erased and many businesses will discover that there are some difficulties attached to maintaining compliance with this element.

How will this affect data lists?

One of the most common uses of personal information in business is for marketing, for which many Small and Medium Enterprises (SMEs) buy in data lists to add to their own customer information so that they can extend the reach of their marketing.

Someone who wishes to be removed from the marketing list is able to make a request to the business and the personal information will, indeed, be removed in compliance with GDPR.

Quarantine and the practicalities

The information will still need to be retained, albeit quarantined from processing, so that any subsequent lists purchased can be cleaned of individuals who have asked to be deleted from the marketing list. While this still constitutes ‘data processing’, it falls into the activity of processing to ensure compliance with the legislation and is acceptable under GDPR.

Because the business selling the list is only in the business of selling lists it will never have contact with the individual and will, therefore, never receive a request from that individual as a data subject to be removed from any list content.

Even if there is a duty on those businesses who have purchased a list to inform others, including the list-selling business about the data changes (and there isn’t always), the list-selling business may be able to ignore and not action any requests made by its customers (the SMEs) to have someone deleted from future lists. A lot here will depend on the terms of business signed by its customers.

The perpetual Loop

The data subject’s details will remain on the master list and be sold on as many times as they match a targeted marketing demographic.

If a data subject changes their name, address, email address or other significant detail they may appear, on an updated list, to be an individual different from the person previously exercising their ‘Right to be Forgotten’ and may accidentally be included in a new marketing campaign as a result.

To avoid falling into this potential hole of non-compliance, businesses that are in the habit of buying in lists for marketing need to consider very carefully how they store quarantined data and what filtering methodology is applied to any new lists they purchase. They should also look at ensuring that their ‘Request for Removal’ processes takes into account ‘linked’ information so they can do the job thoroughly.

Much will depend on the capability of software and the expertise of the users. If anyone was looking for something to give impetus to improving data handling capabilities, this is probably it.

By Bob Edwards, GDPR and CyberCrime consultant, Lawhound

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus