The GBG and LexisNexis problem most privacy advice never reaches
Most privacy guidance starts with 192.com, the open electoral register, and social media settings. That advice is fine as far as it goes. It does not go far enough. The real exposure for anyone with a serious risk profile sits one layer beneath the public-facing people-search sites, inside two commercial data platforms that most people have never heard of: GBG (GB Group) and LexisNexis Risk Solutions.
I have spent years mapping digital footprints as a private investigator and OSINT specialist. Every time I trace someone professionally, these two platforms are the sources that matter most. They hold the data that confirms where you live right now. Not where you lived in 2014 when you were still on the open register. Right now.
What sets these platforms apart from people-search sites
GBG and LexisNexis are not consumer-facing search engines. They are commercial identity verification and data intelligence platforms built to serve financial institutions, insurance companies, law enforcement, and licensed investigators. Their databases hold current addresses, co-habitant information, financial associations, and identity verification records spanning years of continuously updated data.
Where 192.com holds 700 million records built primarily from the open electoral register and phone directories, GBG and LexisNexis hold verified, cross-referenced identity data that is current. LexisNexis Risk Solutions aggregates electoral roll data going back to 2002, Companies House filings, Land Registry records, and proprietary address databases that update far more frequently than anything a consumer people-search site relies on. GBG claims to verify identities using data from over 150 countries.
That distinction is everything. A people-search site gives you a name and an old address. GBG or LexisNexis gives you a confirmed current address, associated occupants, and the financial footprint of the person living there. For anyone assessing the UK data brokers operating beneath the visible layer, these two sit at the very bottom of the hierarchy.
The Bark.com pipeline: your address for 150 pounds
This is the part that should concern anyone with a protection detail, a family office, or a reason to keep their home address private.
GBG and LexisNexis present their onboarding as strict. They reference vetting processes, contractual obligations, and acceptable use policies. The implication is that only legitimate, verified professionals can access the data. The reality does not match the marketing.
If you post a trace request on Bark.com today, you will receive responses from four or five private investigators competing for the work. The trace costs between 100 and 200 pounds. Nearly every one of those investigators will fulfil the request by querying LexisNexis or GBG. That is standard practice at the volume end of the tracing market. Five investigators will contact you for a single trace, and nine times out of ten they are all pulling from the same two databases.
I am not speculating here. I worked in this space. When I investigated company directors, when I traced individuals for corporate clients, these were the first databases I checked. Companies House was the starting point for context. GBG or LexisNexis was where I confirmed a current address.
The data that is supposedly locked behind commercial onboarding is, in practice, one Bark.com listing away from anyone with enough motivation and a small budget.
Why suppression is the hardest battle in UK data removal
I am the only person I know who has successfully achieved a data suppression from these platforms, and even that was not straightforward.
My suppression from LexisNexis took eight or nine emails back and forth over a sustained period. The key breakthrough was constructing a specific argument: I demonstrated that my occupation places me at heightened risk of being targeted, cited involvement in legal cases arising from my work, and stated I was prepared to provide supporting evidence. They did not ultimately request the evidence. But the persistence and the strength of the argument is what made the difference.
Here is why they resist so aggressively. The moment they admit to suppressing someone’s data on safety grounds, they are implicitly acknowledging that their onboarding process is not as airtight as they present it. That the vetting they market to financial institutions and insurers has gaps. That someone with bad intentions could, in theory, access the data through a downstream user who won them the job on Bark.com. They know this. Every suppression is, in a small way, an admission that the system leaks. That is why each request meets institutional resistance that goes well beyond normal data protection bureaucracy.
Most automated data removal services cannot touch this. Incogni, DeleteMe, and every other consumer tool send templated requests to known data brokers with public opt-out mechanisms. GBG and LexisNexis are not on their lists. These platforms have no consumer-facing opt-out pages. There is no form to fill in. The suppression process is entirely tailored to the individual, conducted through direct correspondence with their data protection teams, and it requires a level of argumentation that no automated tool can generate.
The ICO has done nothing about this
Here is my honest opinion on the regulatory picture: the ICO has entirely failed to regulate the commercial data broker layer that poses the greatest risk to individuals.
As of April 2026, the ICO has taken zero enforcement actions against UK people-search websites or commercial data platforms operating in the identity verification space. The Clearview AI fine of 7.5 million pounds in May 2022 targeted facial recognition. The Experian enforcement notice in October 2020 was overturned at tribunal in February 2023. Against the platforms that actually hold verified current address data on most UK adults? Nothing.
Both GBG and LexisNexis process personal data under legitimate interests as their lawful basis. The Data Use and Access Act 2025, which came into effect on 5 February 2026, introduced recognised legitimate interests that require no balancing test for specified purposes. While identity verification is not explicitly listed, the regulatory direction is away from individual control. The DUAA did not introduce a data broker registration regime or any specific rules targeting these platforms. Linklaters described it as “a shift in approach aiming to balance privacy rights with innovation.” That is a polite way of saying the regulators are not coming to help you.
For the foreseeable future, suppression depends entirely on the quality of your individual argument and your persistence in making it. There is no regulatory backstop forcing these platforms to comply.
Where GBG and LexisNexis sit in the exposure hierarchy
People underestimate how many places hold their data by a factor of ten. They focus on the visible sources while the invisible ones do the real damage.
UK data exposure follows a pyramid structure. Root sources at the base (credit reference agencies, the open electoral register, the OSIS telephone directory, Companies House, HM Land Registry) feed downstream aggregators. GBG and LexisNexis sit at a critical junction point in that pyramid, ingesting data from multiple root sources and cross-referencing it into verified identity records. Every people-search site, every skip tracer, and every downstream verification product ultimately depends on data that passes through platforms like these.
If you have already opted out of the open electoral register, removed yourself from 192.com, and dealt with LiveRamp, CACI, and the REaD Group, you have done important work. But if GBG and LexisNexis still hold your unsuppressed current address, someone can find you for the cost of a Bark.com listing. That single gap undermines everything else.
Who cannot afford to ignore this
Not everyone needs GBG and LexisNexis suppression. For someone whose risk profile is limited to general privacy concerns, the consumer-level removals from 192.com, Tracesmart, and PeopleTraceUK will cover the most likely exposure points.
GBG and LexisNexis suppression matters for a specific set of circumstances. Individuals facing active threats, where a motivated person has already demonstrated willingness to find them. A skip tracer through Bark.com is a realistic escalation step. Company directors and executives whose personal address represents a corporate security vulnerability. If any investigator with GBG access can confirm where you live, your physical security has a gap that no alarm system closes. Public figures and influencers with audiences large enough that the statistical likelihood of a fixated individual becomes significant. Family offices and PAs managing protection for principals whose exposure compounds across properties, directorships, and family members.
If your situation fits any of those profiles, this is the data layer you need to address. The visible brokers are the easy part. This is the hard part.
What the suppression process actually requires
Start with a full digital footprint assessment. You cannot suppress what you have not mapped. Every assessment I run checks GBG and LexisNexis exposure as a priority, because that is where the most consequential data sits.
If you attempt the suppression yourself, expect sustained correspondence over weeks. Construct your argument around demonstrable risk, not general privacy preference. Articulate why your specific circumstances create a heightened risk that outweighs their legitimate interests in processing your data. Cite specific threats. Reference your occupation, your public profile, or documented incidents. The argument needs to be strong enough that their data protection team cannot deflect it with a template refusal.
Be aware that even a successful suppression is temporary. LexisNexis suppressions last 12 months and need renewing. GBG operates on a similar cycle. If you do not renew, your data becomes queryable again. Quarterly verification that suppression remains active is part of any serious monitoring regime.
If that sounds like more than you want to manage alongside everything else, that is exactly the kind of case I built Barnveil to handle. Get in touch and I will tell you honestly whether your exposure warrants this level of work, or whether consumer-level removals are enough for your situation. The answer depends on your risk profile, and I would rather tell you to save the money than sell you something you do not need.
