How do you comply with GDPR if you have duplicate records?

Hint – you probably don’t

The General Data Protection Regulation will come into force in May 2018! We’ve all heard about this, and hopefully your GDPR project is in full swing to ensure compliance before the deadline is here.

As stated in the many blogs you’ve probably read on this subject, GDPR is all about putting individuals in control of their data. That is why the principles stated in Article 5 are so important and why the Lawfulness of Processing and the rules around Consent must be implemented and tested as soon as possible.

Most organisations will already have policies in place that cover at least part of these requirements, but even those, often fail without even realising it, due to a common problem: they have duplicate data in their CRM system.

Why is duplicate data a problem for GDPR compliance?

Having only one record for each person simplifies everything. Even before data protection was a hot topic, duplicate records were an operational nuisance, but now that nuisance can pose additional challenges.

Let’s look at a few scenarios where having a duplicate-free CRM system can help any organisation comply with GDPR. We’ll use our favourite example, customer Robert Dixon, also known by some team members as Bob Dickson.

Below are four of Robert’s rights regarding his personal data, all of which will be much easier to respect if his details are in the system only once.

1) Know what information you hold on him and what for:
You informed Robert Dixon of what data you hold, in compliance with the regulation; the problem is that part of that personal data is registered under Bob Dickson, and you didn’t even know such person existed in your database. However, one of your employees calls Bob every now and then, and while doing so, he may be looking at a different set of data.

2) Keep his personal information updated and accurate:
You have updated Robert’s address as requested, but not Bob’s. Remember, you never met Bob, but for some reason someone in your team created that contact and uses it regularly. If that person needs to send Bob a letter, it will be sent to the wrong address. Not to mention that the information on that letter may be confidential, and you’re sending it to someone else’s house.

3) Have his information deleted when no longer necessary:
Whether you are doing this proactively as part of your data management policy, or because Robert asked you to, having more than one record means that you will still hold Bob’s data, even after you deleted Robert’s. The problem is they are the same person.

4) Only send him emails if he has subscribed to them
Two months ago, Robert gave you consent to send him your newsletter, and you can prove it. But that subscription is logged against Robert’s contact in CRM, not Bob’s. They are the same person, but one of the demands of GDRP is that organisations must be able to prove that such consent was given, and you can’t prove that Bob has given his consent. The same goes for William and Bill or William at QGate and William at Q-Gate. He’s probably not the only person registered several times under slightly different names or account names, is he?

We strongly recommend all our customers audit their CRM data for duplicates, from time to time. The frequency of these audits depends on what data sources they have and the rate of change. But regardless of those factors, for GDRP purposes, you should do that right now and know where you stand. By the way, we have a free solution for that.

Find out how many duplicates you have

The free trial we offer on Paribus Discovery will give you a report of how many duplicates you have. If you are not sure about the size of the problem, or even if you have one, install it today and run it on your system. It won’t cost you a penny and you can use it on any database for reporting purposes.


This solution was originally developed to identify and merge data in CRM systems. Although you can use it on any database to learn how many duplicates you have, it will only merge those duplicates inside CRM systems, namely Microsoft Dynamics 365, Microsoft Dynamics CRM, Infor CRM (Saleslogix) and Sage CRM. The free trial version for Microsoft Dynamics 365 / CRM will let you merge some of the results so you can see exactly how it works.

To learn more about this solution, please visit the dedicated website or get in touch. We’ll be more than happy to help you get ready for GDPR.

Disclaimer: the content of this blog does not constitute and cannot be seen as legal advice, and should not form the basis upon which any person or organisation takes a decision or reaches a conclusion in regards to their rights or obligations.