GDPR Article 5 and data accuracy: what it actually means for your CRM

Eight years into GDPR, most marketers can tell you about consent. Far fewer can tell you about the accuracy principle - the part that makes your contact database a live compliance obligation.

It is one of the six principles in Article 5 of the UK GDPR, and it is also one of the most ignored. Marketing teams pour effort into consent banners and double opt-ins, then leave the same database to rot for two years while phone numbers go dead, people change jobs and email addresses bounce.

That gap is the accuracy principle. This post explains what it actually says, why it matters more than you might think, and what a sensible workflow looks like in 2026.

What does Article 5(1)(d) actually say?

Two phrases do most of the work.

“Where necessary, kept up to date.” The Information Commissioner's Office reads this as proportionate - how often you need to refresh a record depends on what you are using it for. A one-off competition entry is different from a sales prospect you intend to call quarterly for the next three years.

“Every reasonable step.” You do not have to guarantee perfection. You have to demonstrate that you took sensible action when you knew, or should have known, that a record was wrong. Bounced emails are a classic example: the ICO's own guidance points out that removing addresses where you have received a bounce-back is the sort of reasonable step it expects.

Why ‘accuracy’ matters more than most marketers think

The marketing department tends to treat data accuracy as an efficiency problem. Dirty data wastes spend, drags down conversion rates and makes reporting unreliable. All true. But under GDPR it is also a regulatory problem - and the financial penalty has just got dramatically bigger.

Under the Data (Use and Access) Act 2025, which came into force last June, the maximum PECR/UK GDPR fine rose from £500,000 to £17.5 million or 4% of global annual turnover, whichever is greater. That is a 35-fold increase. Most of the high-profile fines so far have hit security failures, but the principle applies equally to keeping your data accurate and current.

Phone numbers decay at around 18% per year

Industry estimates put B2B contact data decay at roughly 22–30% per year across the board, with mobile phone numbers specifically losing around 18% of their accuracy annually as people change networks, leave jobs and ditch handsets. A CRM you last cleaned in 2024 is not 90% accurate today - it is closer to 60%.

At Data Soap volumes, that translates into thousands of records per month that are quietly turning into compliance liabilities - not just wasted dials.

Email deliverability and the accuracy obligation

Bounce-backs are not just a sender-reputation problem. They are evidence that you know an address is no longer accurate. If you keep mailing it - or worse, if you sold the list to someone else - you are breaching the accuracy principle by inaction.

The ICO's published guidance specifically calls out bounced emails as a trigger for the “every reasonable step” obligation. The reasonable step is straightforward: remove or suppress the address.

Address data and the PAF standard

Postal address data has its own gold standard in the UK: the Royal Mail Postcode Address File (PAF). If you are running direct mail and your records do not validate against PAF, you are by definition not taking every reasonable step to keep address data accurate. PAF lookups are not a nice-to-have on a Sunday afternoon - they are the baseline against which the ICO will measure you.

Three signs your CRM is breaching the accuracy principle right now

You probably do not need a forensic audit to know whether you are in trouble. Three signals tell most of the story.

1. You cannot tell when each record was last verified. If there is no “last validated” field on a contact record, you cannot evidence that you took reasonable steps. The ICO does not expect perfection; it does expect a paper trail.

2. Your bounce rate has been creeping up for months and nobody is removing the addresses. Each ignored bounce is a tiny breach. Multiplied across a year and a list of 50,000 contacts, that is a very tidy enforcement story.

3. You have phone numbers in your CRM that have not been called in 12 months. Without a validity check, you do not know whether you are calling a customer, a stranger, or no-one at all. Calling the wrong person triggers TPS/CTPS complaints too - the two principles compound.

How to fix it - a practical data quality workflow

The accuracy principle does not demand any specific tool or workflow. It demands that you take reasonable, demonstrable steps. In practice, that splits into two complementary jobs: validate the data the moment it arrives, and re-validate the data already in your CRM on a sensible cycle.

Validation at point of capture (API approach)

The cheapest data error is the one that never enters your system. Wire an HLR or email validation call into every web form, sign-up page and integration that creates a new contact record. The API returns a status in under a second, and your CRM only stores numbers and addresses that look real.

Data Soap's REST API plugs into most CRMs, marketing platforms and bespoke dialers. The same balance powers email verification, mobile validation, landline checks, PAF lookups, and screening against the TPS and CTPS registers.

Periodic list cleaning (drag-and-drop for non-technical teams)

For the data you already hold, the simplest workflow is a quarterly bulk clean. Export the list as a CSV, drop it into the Data Soap portal, map the columns, and get back a cleansed file with a status per record. No code, no developer time.

The Information Commissioner's Office does not prescribe a cleaning frequency - that is the whole point of the “where necessary” wording. Quarterly is sensible for most call lists; monthly is sensible for high-volume outbound. Annually is almost certainly not enough.

What the ICO says about accuracy enforcement

The ICO publishes an explicit guide to the accuracy principle and the underlying legal text sits at Article 5 of the UK GDPR on legislation.gov.uk.

Enforcement in 2025 has been busier than in any year since GDPR went live. The first half of 2025 alone produced roughly £5.6m in fines, more than double the entire 2024 total, with the ICO making clear that data-protection failures are now their priority over older regulatory beats.

Accuracy-only fines are rare today. They are also rare for security breaches alone - until you are in the middle of one. The pattern with ICO enforcement is to combine principles: a security breach exposes how poorly maintained the dataset was in the first place, and the accuracy and data-minimisation principles get cited alongside.

Frequently asked questions

Does GDPR accuracy apply to B2B data?

Yes - with one nuance. If the contact record is for a named individual (Jane Smith, Marketing Director at AcmeCo), it is personal data and Article 5 applies in full. If it is a generic role mailbox (info@acmeco.co.uk), it is not personal data and is outside the scope. Most B2B databases are mostly personal data, so for practical purposes you treat the whole list as in-scope.

How often should I clean my CRM?

Often enough that you can defend the gap. Quarterly for most call lists; monthly for high-volume outbound; in real time for any record entered through a web form. Annual is the answer most likely to get you in trouble: by month six the list is already meaningfully wrong, and the ICO's “reasonable steps” test becomes harder to argue.

Is a bad phone number actually a GDPR issue?

It can be. If you keep dialling a number that has been reassigned to a different person, you are processing inaccurate personal data - and very possibly contacting someone who has not consented. That is two principle breaches in one phone call, plus a likely TPS/CTPS complaint. The accuracy principle is the cheapest of those three to fix.