Written by Kia Irving | UK
on April 22, 2022

While GDPR isn’t particularly new news anymore, we still get a number of inquiries about building and cleaning a compliant contact database. While you may have ensured that any new customer data is collected with a double opt-in form, what about legacy data? And, how long can that legacy contact data be held?  

If you don’t actively cleanse and update your contact data, 70% of your database could be inaccurate after just one year — so it is critical that you are actively investing in cleaning and post-cleansing.”


Start with good data management habits

The strength of your contact database management strategy relies on strong foundations. Creating a unified approach across any and all departments that access, collect and handle your customer data is the best place to start. Keeping your data GDPR-compliant starts from the ground up.

#1 Provide regular GDPR training sessions

It is imperative that anyone in your business who even so much as sets an eye on your customer data understands GDPR data protection laws. Holding regular training – both introduction and refresher courses – makes sure that everyone has the same understanding. Not only does it mean that you lay out your expectations as a business, but that you also hold each person accountable. Ensure that your company remains compliant by proactively training your team.  

#2 Map your data correctly

When you set up your CRM, make sure that you are tracking the following fields:

  • Sign up source (e.g. newsletter form, download, event, social media).
  • The date they signed up.
  • The date they confirmed their opt-in.

For the most part, your CRM or marketing automation platform will have specific mandatory fields for you to include, making this simple. It’s important to keep these fields populated in your database, not only from a legal perspective, but also in case anything needs updating. A well-designed CRM and marketing automation tool, such as HubSpot or Marketo, will ensure you collect and manage your data in a GDPR-compliant way. 

Did you know: if you make changes to your privacy policy, you need to contact your subscribers to let them know?

#3 Use a Single Customer View (SCV)

Single customer view (SCV) is a centralized platform where you can have a holistic view of your customers across the entire buyer’s journey. With an SCV, you can identify and track every interaction you have with current and prospective customers, which enables you to develop relevant and targeted strategies.

One of the easiest ways to get things right is by keeping things simple. By adapting to a single customer view (if you haven’t already!), you can be sure not only that your data is compliant, but also that it is up to date. You minimize the risk of over-sending communications or emailing to opt-outs, and best of all, you gain the ability to orchestrate intelligent campaigns! 

contact record image for blog (2)

Cleansing your database

So, now that this is explained, how do you cleanse your database in a GDPR-compliant way?!

In a nutshell, here’s what you need to do:

1. Merge and purge duplicates

This is especially important when you’re migrating across to SCV or a new CRM. A good CRM will help manage this part for you.

2. Analyze: outdated, incorrect, incompletes

Depending on your set up, you may find that you have duplicate records or incompletes – such as two of the same person, but one with a phone number and no email address, and vice versa. Consider using your CRM’s “merge duplicates” function to correct this.

3. Run permission campaigns

As previously mentioned, any time you update your privacy policy or other important information that will impact how you communicate with your subscribers, you must let them know.

In addition, if you merge with another company and intend to use their databases, you must run a permission campaign. Be transparent about what has happened, how it could affect them, and then let them make the decision about whether they want to opt-in. While you’re in this transition period, you must keep these data segments separate from your main lists that you communicate with.

4. Schedule regular cleansing

Consider how long data may remain dormant before it is removed, when to scrub bounced emails, or how to delete spam submissions. There are rules about how long you can keep personal data, and admittedly it can seem like a grey area with no hard and fast duration.

The ICO says:

  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymize it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

Do I need to clean my database?

Do you need to clean your teeth? If you’re the type of creature who thinks not, then you’ve probably got bigger problems than your database. That aside, database hygiene is crucial to the health of your business, regardless of size, function, and sector. More isn’t more.

Consider this:

UP Blog GDPR Database Cleanse

How Apple’s Hide My Email may impact your database

First, let’s get a handle on what it is and how it works, from the horse’s mouth:

"Hide My Email generates unique, random email addresses that are forwarded automatically to your personal inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private."

The Drum describes it as a ‘burner account’ for email addresses. And like burner phones, these email addresses will still get your emails, unless they are deleted. In essence, the same as a normal email address really.

Litmus says:

"These email addresses can be deleted, and when that happens? It will show as a hard bounce. If you have a lot of these, your email deliverability will be negatively impacted."

"There’s no pattern or way to identify these randomized email addresses. While the usernames currently consist of random words with a "0" toward the end, this pattern is likely to change, and they all use the same domain name as people who actually use iCloud as their email service. Meaning, not every email address on your list comes from Hide My Email. They can be legitimate."

So, in short, it shouldn’t make too much of a difference. In reality, the touch points where a customer needs to give their email address for an account-based activity, it’s unlikely they will use a mask like this. 

If you’re a B2B company, one solution could be to only allow contacts with verified business domains to submit forms or subscribe to your content.

Achieving database nirvana 

Of course, there is so much more to database management and GDPR-compliance than can be covered in one bite-sized blog. We could spend days (or weeks) writing about every single aspect in depth. But let’s face it, you’re reading this while you’re grabbing a coffee or waiting for a meeting to start. If you want the full nitty gritty on GDPR, HubSpot has a fantastic playbook here

Want to know more?

Contact us about setting up a free HubSpot trial. Hubspot offers an absolutely free starter CRM that is GDPR-compliant. As a HubSpot Partner Agency, UP can help you get set up and running with both a compliant CRM and marketing automation toolset.

Get a free trial of HubSpot with support from UP


Have a thought? Leave a comment

Subscribe to our blog