Royal Mail

A marketer's guide to the GDPR

You've probably heard a lot about the General Data Protection Regulation (GDPR), which applies from 25 May 2018...

A marketer's guide to the GDPR

Most articles warn you of the consequences of non-compliance: the law is being made stricter and fines could be much higher.

But what people often don’t appreciate, is that the GDPR is a big opportunity for marketers. By embracing the GDPR, brands can improve their direct marketing communications, ensuring they are always well targeted and well received.

The Royal Mail has produced a guide to the GDPR titled "The GDPR opportunity with Mail".  In it, they show 12 ways that mail can help you make the most of the GDPR.  We’ll share some of those in this article. But, first, here is a selection of helpful pointers from the ICO on how to be GDPR compliant. 

3 steps closer to GDPR compliance:

Step 1: Information audit
Do a complete audit to find out what personal information you hold. Don’t forget to audit data on business contacts, customers, employees and contractors. Look at the platforms you use, the security of the servers the data is stored on, where in the world those servers are, and other factors which could determine whether your regime is GDPR compliant. Make sure everyone in your organisation who is responsible for processing data — sales, marketing, finance and so on — are aware of the need to do this. Don’t assume any platform or provider (for instance, your online CRM) is compliant: always check. 

Step 2: Understand lawful basis
You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.  You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. If you use legitimate interests as the basis for processing personal data for postal marketing, you won’t need consent for it, whereas you might need consent for some calls, texts and emails. Due to the challenges involved in gaining consent to GDPR standards, brands may have some customers they can only reach by mail.

Step 3: Create higher standards of Accountability and Governance
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.

The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances. Under the GDPR, you must appoint a DPO if you:

  • Are a public authority (except for courts acting in their judicial capacity);
  • Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Mail could help you in a GDPR world 
In its guide, "The GDPR Opportunity with Mail", the Royal Mail highlights the unique role that mail could play in driving business success in a GDPR world.  It includes examples from organisations that have already been inspired by the GDPR to improve their data practices as well as 12 ways that mail could help you make the most of the GDPR.  Here are 4 of the 12 ways mail could help you:  

1. You won’t necessarily need consent for postal marketing

According to the ICO’s recent comments in their FAQ to Charities "You won’t need consent for postal marketing but you will need consent for some calls and for texts and emails under PECR… If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.’

2. Brands will have fewer regulatory unknowns with mail

As mail is not in scope of PECR or the proposed e-Privacy Regulation - which has no clear timeframe for implementation yet – brands will have fewer regulatory unknowns when contacting by mail in comparison to electronic channels.

3. Mail offers higher response rates than email

In a world where trust and frequency of communication are increasingly important, mail is welcomed by recipients and offers higher response rates than email*.

4. It’s easy to stay in touch via mail

While people are more likely to have multiple email addresses, including ghost ones they do not check – people only generally have one residential address.

For the full 12 reasons, download a copy of the guide here

* US Data & Marketing Association Response Rate Report 2017



Download the complete report here


Eleanor Kahn


How to make GDPR an opportunity

The upcoming new General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and is an evolution of the current Data Protection Act. GDPR is designed to revise the collection, use and retention of personal data.

While many changes will be introduced, making one key change can help you strengthen customer relationships – using mail more…