THE GDPR OPPORTUNITY

WITH MAIL
 INTRODUCTION TO
MAIL UNDER THE GDPR
CONTENTS The General Data Protection Regulation (GDPR) has far-reaching implications for Royal Mail and its
customers. But we are optimistic that the new data laws will have a positive impact on relationships
between organisations and consumers. We believe it presents a tremendous opportunity for us all
to take stock of our marketing processes and put best-quality data practices at the heart of our
organisations. By encouraging greater transparency, we believe that the GDPR will provide a major
02 What is the GDPR? impetus for us all to improve our direct marketing communications, and ensure they are always well
targeted and well received.
03 Who does the GDPR apply to?
Of course, there are understandable concerns. For instance, from conversations with our customers,
04 What information does the GDPR apply to? we understand there’s confusion about what constitutes “legitimate interests” in relation to direct
marketing, when consent is necessary, and how third-party data can lawfully be used in the context
06 The GDPR key points of the GDPR. Our customers have also said that the guidance they’ve received from events and
- Consent and legitimate interests through online marketing blogs has sometimes been contradictory – even alarmist.
- Legitimate interests assessments
- Mail and legitimate interests This guide does not impart any legal advice, but is instead designed to help organisations become
- The rights of the individual acquainted with the most important sources of information on the GDPR, including what the law
itself says and what the UK’s data protection regulator, the Information Commissioner’s Office
13 What’s still to come? (ICO) has, so far, decided this means. As the ICO is regularly delivering updates to its guidance on
implementation, this guide serves as an introduction to some of the main subject areas with which
16 The GDPR opportunity organisations need to become familiar.

20 12 ways mail could help you thrive in a GDPR world The guide also highlights the important and unique role that mail will continue to play in driving
business success in a post-GDPR world. It includes examples from organisations that have already
24 Case studies - GDPR mail examples been inspired by the GDPR to improve their data practices and build more trusting, open and
transparent relationships with customers.
30 How can we help?
While the journey to compliance with the GDPR may not always be an easy one, Royal Mail can
provide help and support every step of the way – an assurance that we hope this guide makes
abundantly clear.

Jonathan Harman
Managing Director
Royal Mail MarketReach
 WHAT IS WHO DOES
THE GDPR? THE GDPR APPLY TO?

25
The GDPR comes into force on 25th The ICO makes clear that the new law applies to ‘controllers’ and
May 2018. It is not a brand new
regulation, but a necessary evolution ‘processors’ of data, and these are largely the same definitions that apply
to the existing Data Protection Act. today under the Data Protection Act 1998 (DPA). A controller is responsible
It is intended to extend additional
protection for individuals and their data,
for how and why the data is processed, while the processor acts on the
providing greater transparency and controller’s behalf.
control over where their data is saved
and used. The ICO is working hard to
produce guidance on what the new law
means for organisations, and how they

MAY 2018
can become compliant. It warns that
while its final guidance is compiled, no

PROCESSORS CONTROLLERS
organisation should think that because
the UK is leaving the EU, they do not
need to plan for compliance.

The ICO is committed to assisting businesses and public bodies to prepare The ICO GDPR guide elaborates The ICO GDPR guide, continues:
to meet the requirements of the GDPR ahead of May 2018 and beyond. The on specific responsibilities
“However, if you are a controller,
Information Commissioner, Elizabeth Denham, has acknowledged that there “may
still be questions about how the GDPR would apply in the UK on leaving the EU, “If you are a processor, the GDPR you are not relieved of your
but this should not distract from the important task of compliance with the GDPR.” places specific legal obligations on obligations where a processor is
you; for example, you are required involved – the GDPR places further
What should also be acknowledged is the global nature of the GDPR. All EU to maintain records of personal data obligations on you to ensure your
member states will implement the GDPR and certain obligations (such as in and processing activities. You will contracts with processors comply
relation to international data transfers) apply when working across borders. have significantly more legal liability with the GDPR. The GDPR applies
Furthermore, countries outside of Europe may need to comply with relevant if you are responsible for a breach.” to processing carried out by
aspects of the GDPR when trading with European countries so, from a certain organisations operating within the
point of view, the GDPR can be considered a law with implications worldwide. These obligations for processors are EU. It also applies to organisations
a new requirement under the GDPR. outside the EU that offer goods or
services to individuals in the EU.”

2 3
 WHAT INFORMATION
DOES THE GDPR
APPLY TO?
PERSONAL DATA FINES
According to the GDPR, the GDPR applies to “personal data”, meaning any information relating Fines under the current Data Protection Act are up to £500,000, but under the GDPR,
to an identifiable person who can be directly or indirectly identified, in particular, by reference these are set to increase to a maximum of 4 per cent of group annual global turnover,
to an identifier. This definition provides for a wide range of personal identifiers to constitute or €20 million, whichever is greater.
personal data, including name, identification number, location data or online identifier, reflecting
changes in technology and the way organisations collect information about people. The GDPR The Information Commissioner has gone so far as to blog to set the record straight
applies to both automated personal data and to manual filing systems in which personal data on fines and put minds at rest. Focus should be on compliance, not speculating
is accessible according to specific criteria. This could include chronologically ordered sets of about fines. She suggests:
manual records containing personal data. Personal data that has been pseudonymised – e.g.
key-coded – can fall within the scope of the GDPR, depending on how difficult it is to attribute This law is not about fines. It’s about putting the consumer and citizen
the pseudonym to a particular individual. first. We can’t lose sight of that. It’s true we’ll have the power to impose
fines much bigger than the £500,000 limit the DPA allows us. It’s also
true that companies are fearful of the maximum £17 million, or 4
SPECIAL CATEGORIES OF PERSONAL DATA per cent of turnover allowed under the new law. But it’s scaremongering to suggest
The GDPR refers to certain types of personal data - currently known as sensitive personal data that we’ll be making early examples of organisations for minor infringements, or that
- as “special categories of personal data”. maximum fines will become the norm...

The following categories of data are considered “special categories”: ...The ICO’s commitment to guiding, advising and educating organisations about how
to comply with the law will not change under the GDPR. We have always preferred
●● racial or ethnic origin
the carrot to the stick...
●● political opinions
●● religious or philosophical beliefs ...Our Information Rights Strategy – a blueprint for my five-year term in office –
●● trade-union membership confirms that commitment. And just look at our record: Issuing fines has always
been, and will continue to be, a last resort. Last year (2016/2017) we concluded
●● data concerning health or sex life and sexual orientation 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations
●● genetic data (new) concerned...
●● biometric data where processed to uniquely identify a person (new)
...And we have yet to invoke our maximum powers…
Personal data relating to criminal convictions and offences are not included, but similar
extra safeguards apply to its processing.
...Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply
– warnings, reprimands, corrective orders. While these will not hit organisations in the
pocket – their reputations will suffer a significant blow...

...And you can’t insure against that.

4 5
 THE GDPR CONSENT AND
KEY POINTS LEGITIMATE INTERESTS
LAWFUL PROCESSING Of the six legal bases to process data, the ICO has provided some further information on
both consent and legitimate interests.
The ICO has offered very clear guidance that to be GDPR compliant, organisations
must identify which of the six legal bases for processing personal data they are
using. To quote their guidance: CONSENT
The ICO has pointed out that under the GDPR’s definition of consent, there are two new points
●● “ For processing to be lawful under the GDPR, you need to identify a lawful (additional to the DPA) for organisations to consider. It has highlighted these in bold when
basis before you can process personal data.” repeating the law’s definition of consent:
●● “ It is important that you determine your lawful basis for processing personal
data and document this.” “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes
by which he or she, by a statement or by a clear affirmative action, signifies agreement to
●● “ Your lawful basis for processing has an effect on individuals’ rights. For
the processing of personal data relating to him or her.”
example, if you rely on someone’s consent to process their data, they will
generally have stronger rights, for example, to have their data deleted.”
The ICO’s guide to consent provides a list which elaborates on this definition to show that,
under the GDPR, consent must be:
The GDPR allows member states to introduce more specific provisions in relation
to Articles 6(1)(c) and (e), below:
●● U
 nbundled: consent requests must be separate from other terms and conditions.
Consent should not be a precondition of signing up to a service unless necessary for
●● “processing is necessary for compliance with a legal obligation”;
that service.
●● “ processing is necessary for the performance of a task carried out in the
●● A
 ctive opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar
public interest or in the exercise of official authority vested in the controller.”
active opt-in methods (e.g. a binary choice given equal prominence).
“These provisions are particularly relevant to public authorities and highly ●● G
 ranular: give granular options to consent separately to different types of processing
regulated sectors.” wherever appropriate.
●● N
 amed: name your organisation and any third parties that will be relying on consent
– even precisely defined categories of third-party organisations will not be acceptable
LAWFULNESS OF PROCESSING CONDITIONS under the GDPR.
Article 6(1) sets out the 6 lawful bases for processing personal data: ●● D
 ocumented: keep records to demonstrate what the individual has consented to,
(a) Consent of the data subject including what they were told, and when and how they consented.
 rocessing is necessary for the performance of a contract with the data
(b) P ●● E
 asy to withdraw: tell people they have the right to withdraw their consent at any time,
subject, or to take steps to enter into a contract and how to do this. It must be as easy to withdraw as it was to give consent. This means
you will need to have simple and effective withdrawal mechanisms in place.
(c) Processing is necessary for compliance with a legal obligation
●● N
 o imbalance in the relationship: consent will not be freely given if there is imbalance
(d) P
 rocessing is necessary to protect the vital interests of a data subject or
in the relationship between the individual and the controller – this will make consent
another person
particularly difficult for public authorities and for employers, which should look for an
(e) P
 rocessing is necessary for the performance of a task carried out in the public alternative lawful basis.
interest or in the exercise of official authority vested in the controller
(f) N
 ecessary for the purposes of legitimate interests pursued by the controller or a
third party, except where such interests are overridden by the interests, rights or
freedoms of the data subject

6 7
 “YOU WON’T
MAIL AND LEGITIMATE ‘Necessary’ means that the processing must be a targeted and proportionate way
of achieving your purpose. You cannot rely on legitimate interests if there is another
INTERESTS reasonable and less intrusive way to achieve the same result.”

NEED CONSENT
Some organisations may wish to explore with “Legitimate interests is the most flexible lawful basis, but you cannot assume it will
their legal teams whether legitimate interests always be appropriate for all of your processing. If you choose to rely on legitimate

FOR POSTAL
are a more appropriate legal basis upon interests, you take on extra responsibility for ensuring people’s rights and interests
which to process personal data for specific are fully considered and protected.”
purposes, which can include direct

MARKETING”
marketing. Article 6(1)(f) in the GDPR gives The ICO then illustrates how legitimate interests can be applied in Marketing with
legitimate interests as a lawful basis of additional reference to the Privacy & Electronic Communications Regulation (PECR)
processing where: which you must adhere to where you are using electronic channels.

“processing is necessary for the purposes ICO, 2018 “You won’t need consent for postal marketing but you will need consent for some
of the legitimate interests pursued by the calls and for texts and emails under PECR. See ICO Guide to PECR for more on
controller or by a third party except where when you need consent for electronic marketing.
such interests are overridden by the interests
or fundamental rights and freedoms of the If you don’t need consent under PECR you can rely on legitimate interests for
data subject which require protection of marketing activities if you can show how you use people’s data is proportionate, has
personal data, in particular where the data a minimal privacy impact, and people would not be surprised or likely to object.”
subject is a child.”
With further additional requirements to utilise legitimate interests including:
The ICO Guide to GDPR adds:
“You must tell people in your privacy notice that you are relying on legitimate
“A wide range of interests may be legitimate interests. They can be your own interests or the interests, and explain what these interests are.”
interests of third parties, and commercial interests as well as wider societal benefits. They may
be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.” “If you are relying on legitimate interests for direct marketing, the right to object is
absolute and you must stop processing when someone objects. For other purposes,
LEGITIMATE INTERESTS ASSESSMENTS you must stop unless you can show that your legitimate interests are compelling
enough to override the individual’s rights.”
The ICO breaks down the assessments into a three-part test:
Please refer to the ICO Guide to General Data Protection Regulation (GDPR) for more
1. Purpose test: are you pursuing legitimate interests? details on when you can use legitimate interests and how to apply it in practice.
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interests?

The ICO explains “The GDPR specifically mentions use of client or employee data, marketing,
fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this
is not an exhaustive list. It also says that you have legitimate interests in disclosing information
about possible criminal acts or security threats to the authorities.

8 9
 MAIL AND LEGITIMATE INTERESTS
The Data Protection Network produced a guide to legitimate interests which
THE RIGHTS OF THE INDIVIDUAL
includes examples of scenarios in which legitimate interests would be a legal basis The ICO has been very clear that implementation of the GDPR will require
for processing personal data, including: organisations to observe and uphold the public’s strengthened data rights. It has
provided a list, with brief explanations, of what these rights are:

Direct marketing ●● T
 he right to be informed encompasses your obligation to provide “fair processing
A charity sends a postal mailshot out to existing supporters, providing an update information”, typically through a privacy notice. It emphasises the need for
on its activities and details of upcoming events. transparency over how you use personal data.
●● T
 he right of access allows individuals the right to access their personal data and
Personal data transferred in an acquisition supplementary information. This enables individuals to be aware of and verify the
lawfulness of the processing.
A publisher acquires circulation data of several magazine titles in the course
of a business acquisition and wishes to use the data for similar purposes ●● T
 he right to rectification gives individuals the right to have personal data rectified.
to those for which it was originally acquired. Personal data can be rectified if it is inaccurate or incomplete.
●● T
 he right to erasure enables an individual to request the deletion or removal of
personal data where there is no compelling reason for its continued processing.
Postal marketing from third parties
A catalogue company adds details to its online order forms which indicate that ●● T
 he right to restrict processing. Individuals have a right to “block” or suppress
it shares data with other cataloguers. The purchaser can opt-out of this sharing, processing of personal data. When processing is restricted, you are permitted
and the other cataloguers are listed in the privacy statement. to store the personal data, but not further process it. You can retain just enough
information about the individual to ensure that the restriction is respected in future.
●● T
 he right to data portability allows individuals to obtain and reuse their personal
Personalisation data for their own purposes across different services. It allows them to move, copy
A travel company relies on consent for its marketing communications, but may or transfer personal data easily from one IT environment to another in a safe and
rely on legitimate interests to justify analytics to inform its marketing strategy, secure way, without hindrance to usability.
and to enable it to enhance and personalise the “consumer experience”
●● T
 he right to object allows individuals the right to object to processing based on
it offers its customers.
legitimate interests or the performance of a task in the public interest/exercise
of official authority (including profiling); direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
●● R
 ights in relation to automated decision-making and profiling. The GDPR
provides safeguards for individuals against the risk that a potentially damaging
decision is taken without human intervention.

10 11
 ICO’S 12 STEP WHAT’S STILL
PREPARATION GUIDE TO COME?
The ICO has produced a 12-point guide to what organisations need to do to prepare Some of the information the ICO will be providing is dependent on guidance provided
for the GDPR becoming law in May 2018. by the Article 29 Working Party.

From raising awareness at every level within a company, to auditing data and
establishing a legal basis for processing and storing personal information,
WHAT IS THE ARTICLE 29 WORKING PARTY?
this guide can help organisations plan for compliance. This working party is mentioned frequently when the ICO discusses how
it is shaping the GDPR compliance guidance it passes on to organisations.

Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now To quote the European Data Protection Supervisor (EDPS): “The ‘Article 29 Working
Party’ is the short name of the Data Protection Working Party established by Article
1. Awareness 7. Consent 29 of Directive 95/46/EC. It provides the European Commission with independent
You should make sure that decision makers and You should review how you seek, record and advice on data protection matters and helps in the development of harmonised
key people in your organisation are aware that manage consent and whether you need to make policies for data protection in the EU Member States.
the law is changing to the GDPR. They need to any changes. Refresh existing consents now if
appreciate the impact this is likely to have. they don’t meet the GDPR standard.
“The Working Party is composed of:
2. Information you hold 8. Children
You should document what personal data you You should start thinking now about whether you
●● representatives of the national supervisory authorities in the Member States;
hold, where it came from and who you share need to put systems in place to verify individuals’ ●● a representative of the EDPS;
it with. You may need to organise an ages and to obtain parental or guardian consent
information audit. for any data processing activity. ●● a representative of the European Commission.”

3. Communicating privacy information 9. Data breaches The Article 29 Working Party also adopts guidelines for complying with the
You should review your current privacy notices You should make sure you have the right requirements of the GDPR. The ICO has explained how guidance from Article 29
and put a plan in place for making any necessary procedures in place to detect, report and
changes in time for GDPR implementation. investigate a personal data breach. is shaping its progress in providing final guidance before May 2018.

4. Individuals’ rights 10. Data Protection by Design and Data

You should check your procedures to ensure Protection Impact Assessments
they cover all the rights individuals have, You should familiarise yourself now with the
including how you would delete personal data ICO’s code of practice on Privacy Impact
or provide data electronically and in a commonly Assessments as well as the latest guidance from
used format. Article 29 Working Party, and work out how and
when to implement them in your organisation.
5. Subject access requests
You should update your procedures and
plan how you will handle requests within the 11. Data Protection Officers
new timescales and provide any additional You should designate someone to take
information. responsibility for data protection compliance
and assess where this role will sit within your
organisation’s structure and governance
6. Lawful basis for processing personal data arrangements. You should consider whether
You should identify the lawful basis for your you are required to formally designate a Data
processing activity in the GDPR, document it and Protection Officer.
update your privacy notice to explain it.
12. International
If your organisation operates in more than one
EU member state (i.e. you carry out cross-border
processing), you should determine your lead
data protection supervisory authority. Article 29
Working Party guidelines will help you do this.

12 13
 WHAT’S HAPPENING WITH
ePRIVACY, AND WHEN?
The draft EU ePrivacy Regulation was published at the beginning of January 2017, USEFUL RESOURCES
with the original intention that it should be implemented within the same time
frame as the GDPR. It will update and replace the UK’s Privacy and Electronic This is a selection of some of the most useful resources currently available.
Communication Regulation 2003 (known as PECR). However, since then there Please note these are subject to change.
have been significant delays to its progress at EU level and as a result the
timescale is unclear. 1.  ttps://ico.org.uk/for-organisations/guide-to-the-general-data-protection-
h
regulation-gdpr/
The ICO has provided guidance on what the new ePrivacy Regulation is likely
to mean for organisations. This is a living document and the ICO is working to expand it in key areas.
It includes links to relevant sections of the GDPR itself, to other ICO guidance,
The current draft proposal includes some headline changes: and to guidance produced by the EU’s Article 29 Working Party.

●● It removes separate security obligations, which will be covered under 2. https://www.dpnetwork.org.uk/gdpr-10-point-checklist-marketers/
the GDPR, but introduces customer notification of specific security risks.
3. https://dma.org.uk/gdpr
●● In terms of cookies and other online tracking devices, the focus shifts from
website cookie banners to users’ browser settings, and seeks to address 4. https://dma.org.uk/uploads/misc/58f881147dcd0-gdpr-checklist-
issues around ad-blocking and wi-fi location tracking. copy_58f881147dc1e.pdf
●● It tightens the rules on marketing, with the default position being that
all marketing to individuals by phone, text or email must be opt-in. 5. https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/
●● It incorporates the GDPR’s two-tier system of fines of 4 per cent of
worldwide turnover, or up to €20 million for breaches of some parts of 6. https://dma.org.uk/article/10-things-marketers-need-to-know-about-the-gdpr
the Regulation.
7. https://ico.org.uk/media/about-the-ico/documents/1624382/ico-annual-
●● It would apply to services providing so-called ‘over-the-top’ communication
track-2016.pptx
channels over the internet, such as Skype, Messenger or WhatsApp.
It would also apply to businesses providing customer wi-fi access,
as well as the traditional telecoms and internet providers.
●● It would apply to organisations based anywhere in the world if they provide
services to people in the EU.”

14 15
 THE GDPR
OPPORTUNITY
New regulations can initially seem a little daunting in any industry, and the GDPR will certainly BUILDING BETTER RELATIONSHIPS
require organisations to examine how they process and use customer data. However, it also
presents an opportunity to create relationships with customers and prospects that are more The Direct Marketing Association (DMA) has outlined the top 10 key areas
transparent and trust based. organisations need to be aware of in implementing the GDPR which, it claims, can
also be seen as “business benefits”. These are:

TACKLING DISTRUST
The 2016 Annual Tracker study by the ICO showed that UK adults had “little confidence”
in the current state of the data economy, and that a “data-sharing tension” existed between ●● B
 usiness transformation: The GDPR is a watershed moment for
consumers and businesses over privacy protection. Consumers are concerned that by handing companies to make data protection a core brand value.
over personal information, they run the risk of having their private information stolen by ●● R
 especting privacy: Respecting privacy is central to the future
criminals, receiving nuisance calls and spam, or having their data sold on to third parties of customer relationships.
for marketing purposes without their knowledge.
●● A
 ccountability is a core principle: The GDPR asks companies to
be accountable for their own decisions on how they collect and use
Only 3 per cent of the British population are currently unconcerned about sharing personal
personal data.
information, and only one in five thinks the current law, the Data Protection Act, is sufficient to
protect them. Just 15 per cent believe the individual is in control of their personal information. ●● T
 otal responsibility across your business: Accountability applies
to everyone.
The GDPR seeks to allay this distrust, and as such, it presents an opportunity for marketers ●● A
 ccountability goes right to the top: Accountability should be driven
to build improved relationships with their customers and prospects by positively embracing at board level – it’s not just an issue for the lawyers.
the new powers that the law gives consumers. ●● T
 raining is vital: It is important people working within companies are
trained as to what their responsibilities are.
A BRAND DIFFERENTIATOR ●● P
 rivacy is a key ingredient: Privacy should be baked into every product
from the beginning.
The GDPR provides an opportunity for organisations to truly embrace data protection as
a brand differentiator – a core value that engenders better, more trusting relationships with ●● T
 he customer must benefit: Transparency means telling the customer
consumers. what you are going to do with their data and the benefits they get
in return.
These transparent relationships, in which brands are respectful of privacy and data protection, ●● If trust is lost, all is lost: It is necessary to build trust in the
enable organisations to be more upfront and honest about what information they would like to digital economy.
receive from a customer or prospect, and what they intend to do with it. ●● B
 uild for the future: Being open, honest and transparent about what you
are going to do with your customers’ data is good for loyal, sustainable
Organisations can use the GDPR as a fundamental building block to improve trust with customer relationships.
consumers and create a permission pathway that delivers a better view of each customer as an
individual.

16 17
 THE ICO RUNS AN ANNUAL TRACKER REPORT INTO UK adults have little confidence in the current state of
CONSUMER ATTITUDES TO SHARING DATA WITH the data economy.
ORGANISATIONS
Businesses are transparent in data use Individuals feel in control of data use
The 2016 study noted popular consumer fears about what might result from
sharing data. 16% 14%

UK adults fear their personal data being sold for marketing

almost as much as it being stolen.
Most concerning use cases of personally identifiable information.
27% 26%
57% 60%
Personal information being stolen by criminals 75%

Nuisance and ‘cold’ calls 72%

My data being sold to other companies for marketing
purposes
68% Policy and regulations provide sufficient protection Businesses keep data secure
63%
Spam emails and texts
20% 21%
Price discrimination 33%

Tracking your vehicle movements (ANPR) 27%

Use of my health records for research purposes 26%

Security services accessing telephone calls browsing 24%
history
20%
Receiving inaccurate advertising on the internet DISAGREE
Re-targetted digital advertising 18% 44%
48%
32% AGREE
None of the above 3% 35%
NEUTRAL

There were four main concerns: The study also showed:

75% 72% 57%

Do not believe companies
Private information is
being stolen by criminals
Nuisance and
‘cold’ calls
are transparent in their use
of data 48% Do not believe the DPA is
sufficient to protect them

68% 63%
Do not believe individuals

60%
Do not believe
Data being sold on to third
parties for marketing purposes
Spam emails
and texts
have control over their
personal data 44% companies do enough to
keep their data safe

Q12 Which, if any, of the following outcomes are you most concerned about when businesses use your personal information? Q11A Businesses are open and transparent about how they collect and use my personal information DP Base: All UK adults (n=1249) 18-24 (n=144)
DPA Survey Base: All UK adults (n=1249) Q11B You have lost control over the way your information is collected and used by companies [scale flipped for ease of reading] DP Base: All UK adults (n=1249)
Q11C Existing laws and organisational practices provide sufficient protection of your personal information DP Base: All UK adults (n=1249) Baby Boomers (n=388)
Q11D Online companies collect and keep your personal details in a secure DP Base: All UK adults (n=1249)

18 19
 12 WAYS MAIL COULD HELP
YOU THRIVE IN A GDPR WORLD
Marketers are Whilst it’s good news for customers and good news
for our industry, it is going to force some change on
embarking on the us. And as we all review our marketing models and
biggest regulatory channel choices, we’d like to suggest a number of
reasons that direct mail could be part of the way you
change we have seen ensure success in a GDPR world.
in our working lifetimes.

Quoting from the ICO website, “You won’t need consent for In a world where trust and frequency of
1. YOU postal marketing but you will need consent for some calls 4. MAIL OFFERS communication are increasingly important

WON’T NEED HIGHER

and for texts and emails under PECR.” This means that to manage, mail is welcomed by recipients
brands may have some customers they can only reach by and offers higher response rates than email.*

CONSENT mail because mail is still subject to fewer regulations than

electronic communications. RESPONSE Consumers recognise that mail takes more effort
than email. So when it is used, it reassures them
FOR POSTAL RATES THAN that companies recognise and value them – they
cared enough to send mail.
MARKETING EMAIL.

 rands will have fewer regulatory unknowns when contacting

B No one has been fined by the ICO for using mail for
2. BRANDS WILL by mail than by electronic channels. Mail is not materially 5. NO FINES AS marketing. According to the ICO website, seventeen

HAVE FEWER YET FOR USING

impacted by the proposed ePrivacy Regulation, whereas penalties were issued in 2017 for other channels,
electronic channels are. The ePrivacy Regulation was such as text, phone calls and email.

REGULATORY scheduled to come into effect in May 2018 but given there
is no timetable for finalising the draft, this deadline is looking MAIL FOR
UNKNOWNS. increasingly unrealistic leaving a number of questions
unanswered.
MARKETING.

Mail is recommended as the channel to use to get consent While people are more likely to have multiple email
3. MAIL IS by the DMA. Some brands will choose to repermission some 6 . IT’S EASY TO addresses, including ghost ones they do not check,

RECOMMENDED STAY IN TOUCH

customer segments, and mail is well suited to this. Brands people generally only have one residential postal
have been fined for contacting customers by email who had address, and our home-mover data services make

BY THE DMA TO previously opted out of email communication. Repermissioning

communications are seen as marketing activity, and so mail of VIA MAIL. it possible to stay in touch if your customer moves.

GET CONSENT. this nature can attract advertising mail discounts.

* US Data & Marketing Association Response Rate Report 2017

20 21
 12 WAYS MAIL COULD
HELP YOU THRIVE IN A
GDPR WORLD

Not everyone will grant consent via a repermissioning Article 5 of the GDPR means that businesses
7 . DON’T exercise. Door drops offers targeted services that are 10. WE CAN will be held accountable for the accuracy of their

FORGET THE HELP YOU KEEP

delivered with addressed mail that enables you to customer data. Royal Mail has the leading industry
re-engage these audiences without using personal update and suppression files which are fully GDPR

POWER OF data. Door drops is an area of increasing innovation

around targeting and price points. Research shows YOUR DATA ready. Accurate data will help you improve the
return on investment of your mail campaigns.
UNADDRESSED unaddressed items stay in the home for an average
of 38 days and are frequently revisited. Be sure to talk
CLEAN.
MAIL. to us about how we can help.

We have a comprehensive team of Media Specialists

Our Private Life of Mail neurological study proved
1 1. WE CAN and media and data planners that can help you.

8 . MAIL the way that mail primes other media. So you may HELP YOU TO
We also have hundreds of case studies, insight,
tools and data planning support to help you get the
PRIMES OTHER
expect email and other electronic communication
to be better recognised and received (and perhaps DEPLOY YOUR most from your investment in mail. It’s all free of
charge to mail users.
MEDIA. unsubscribe rates to be lower) if the recipient has
been mailed in the weeks before. NEXT MAIL
CAMPAIGN.
It may be 500 years old, but mail continues
9 . MAIL HAS to evolve. In recent years we have introduced

EVOLVED.
programmatic mail and barcodes on mail to enable We can often offer a price incentive to encourage
message sequencing, and in 2018 JICMAIL will 1 2. WE’LL PUT you to invest more in mail or try a different use of

OUR MONEY
launch to provide reach and frequency data to mail. Whether you’re new to mail, repermissioning,
the market. testing new data, or door drops, call us to see what

WHERE OUR we can do.

MOUTH IS.

22 23
 CASE STUDY 1:
CANCER RESEARCH UK
CANCER RESEARCH UK NEEDED “ONE TICK” Cancer Research UK faced several challenges in its journey to become an

TO BEAT CANCER SOONER

opt-in charity:
1) Modelling. Modelling the predicted impact was complex due to the
number of variables.
With the spotlight on charity fundraising practices, in 2016 2) Complexity of touchpoints. With over 150 different sign-up touchpoints,

Cancer Research UK took the bold decision to change to an

keeping track of the changes was complicated.
3) Finding budget and resource. The complexity of the
“opt-in” model for marketing. This was a decision driven project required intense resource and impacted other areas of the charity.
Budget was needed for costs to deliver opt-in.
primarily by the desire to change the way it talked to 4) Reporting. The complex landscape required bespoke solutions at

supporters, and one that the charity hoped would put it in a

individual form level.
5) Measuring impact. It was challenging to understand what
good position once the GDPR’s requirements were announced key metrics to measure.

later in the year.

It is too early to measure the impact on direct
It meant that the charity chose only to contact supporters
marketing activity, but Cancer Research UK is
A PHASED with marketing activity, who had provided explicit
consent to be contacted via that communication channel.
confident it is the right move. It not only ensures
APPROACH WAS
A phased approach was used to deliver the change, their marketing is compliant with GDPR best
USED TO DELIVER initially prioritising updating data-capture forms from
new or returning supporters by the end of May 2016. practice, it will create deeper supporter trust,
THE CHANGE The charity became opt-in for all supporters on
1 July 2017. engagement and value in the long term.
Source: Zoe Rowland, Head of Data Governance, Cancer Research UK
A major campaign kicked off the opt-in drive. Launched in the Sunday Times it spread across
press, mail, social media, YouTube advertising and PR. The message was clear, ‘Your Tick
Beats Cancer Sooner’.

In the first three months of its opt-in campaign, over 100,000

new supporters completed a new marketing permissions
form with opt-in to mail tracking around 20 percent.

24 25
 CASE STUDY 2:
HOME-SHOPPING BUSINESS
A HOME-SHOPPING BUSINESS IS USING A further 10 per cent of the organisation’s communications are to cold prospects – it is

LEGITIMATE INTERESTS TO COMMUNICATE

uncertain as to whether legitimate interests are the right position to take with sourced
data. Following a paper released by the Data Protection Network in July 2017, it looks

WITH CUSTOMERS UNDER THE GDPR

like the pooled data market will be opting for legitimate interests as permission
to continue to provide data to businesses to communicate with prospects. This is
a position that the organisation plans to follow; however, it is aware that that the
One of largest home-shopping guidelines around this remain sensitive and open to change.
ACROSS THE
organisations in the UK spends
YEAR, CUSTOMERS
millions of pounds every year
RECEIVE 10–30
communicating directly with
MAILINGS
customers. THE ORGANISATION HOPES TO BE
FULLY GDPR COMPLIANT BY 2018.
The GDPR has become the biggest focus of the
organisation. It started with a comprehensive mapping
exercise to understand: what data it processes, what
it is used for, where it is going and how it leaves the How prepared are we? It changes daily, but it is
business – considering the legal basis for each. likely that we will be there, or nearly there.
What is clear is our intent and the
Following this, the organisation split its databases by recency, creating three bands processes we have put in place to get there.
based on the customers’ last transaction dates. A separate assessment was
Source: Home-Shopping Business
conducted for each band to understand whether it was GDPR compliant and could
continue to be mailed under legitimate interests. This led to the determination that
mailing customers who have shopped with a brand in the top two recency bands
would be in both the customers’ and the brands’ legitimate interests.

26 27
 CASE STUDY 3:
DEVELOPMENT CHARITY
A DEVELOPMENT CHARITY IS RESEARCHING
SUPPORTERS BEFORE IMPLEMENTING
LEGITIMATE INTERESTS Once the charity has finalised
the changes in its privacy policy,
To ensure it would be in the best position to be GDPR it plans to communicate this to
compliant by May 2018, this development charity set up supporters in a bespoke mailing or,
a working group spanning all departments and created if the donor has opted in, email.
GDPR “champions” responsible for pushing the GDPR
agenda across their business area.

90-95%
With 90–95 per cent of the direct mail that it sends
focusing on retention activity, it is vital that the
charity ensures it is compliant, while at the same
time maintaining the best interest of supporters
RETENTION ACTIVITY and continuous income to help beneficiaries.
While the findings of the research have not
While not yet confirmed, the charity believes it is likely that it will use legitimate interests
yet been issued, the charity is confident that
when communicating by mail. This position has been derived from aligning its vision with the legitimate interests will be how it defines its
requirements under the GDPR.
position for communicating with supporters
As well as looking internally to support its decision to use legitimate interests when communicating under the new GDPR requirements.
by mail, the charity is carrying out an extensive research exercise with current donors, exploring
how they want to be communicated to and what their expectations of the charity are when it comes
to legitimate interests. The findings from the research will influence the charity’s position.
Source: Development Charity

28 29
 HOW CAN WE HELP?
Call on the power of Royal Mail MarketReach and DATA SERVICES
Data Services to boost your marketing effectiveness. Navigate the complexities of data and unlock its
We’re a dedicated team of specialists with a unique set of skills, tools power for your business. Blending high-quality,
and free services to help you make money. Our data planners and industry-leading data with a depth of insight
media specialists are on hand to enhance your marketing strategy and experience, our experts provide services for
through mail, so your campaigns get the best results possible. capturing, managing and maintaining accurate
customer data. We help you drive more value
To discuss how we can help you, call us on 0800 014 2362 from your data and improve your
or visit royalmail.com/gdpr-mailwise. For details of our marketing performance.
services for advertising mail users, visit mailmen.co.uk/gdpr

STRATEGY & MEDIA

Our team can make an immediate impact. We have Media
Specialists around the country, divided into industry sectors,
so they know your sector well. They work alongside our expert
media and data planners to take our tools and knowledge and
apply them to your specific business needs.
We even offer free workshops in media
planning and delivery.

STRATEGY

DATA MEDIA

INSIGHTS
TOOLS INSIGHTS Our ongoing research seeks to understand why
mail delivers more powerful 1-to-1 relationships,
the important role mail plays in the customer
journey and how marketers can benefit. For
deep insights, get access to our extensive range
TOOLS of research reports as well as working with our
Media Specialists to draw on research tools like
We have access to insights, creative and planning tools, all of Target Group Index (TGI) and IPA TouchPoints.
which help you to generate the best results for your campaign.
Take a look at the Mail ToolKit on mailmen.co.uk and you’ll see
insights, case studies, research reports, statistics and more to help
improve marketing performance. Our Insight Engine can also give
you a greater understanding of how mail can affect your audience.

30 31
 SOURCES OF FURTHER
INFORMATION
Information Commissioner’s Office (ICO)
www.ico.org.uk

Direct Marketing Association (DMA)

www.dma.org.uk

Data Protection Network (DPN)

www.dpnetwork.org.uk

Federation of European Direct & Interactive Media (FEDMA)

www.fedma.org

To discuss how we can help you, call us on 0800 014 2362 or

visit royalmail.com/gdpr-mailwise. For details of our services
for advertising mail users, visit mailmen.co.uk/gdpr

32 33
 To discuss how we can help you, call us on 0800 014 2362
or visit royalmail.com/gdpr-mailwise. For details of our services
for advertising mail users, visit mailmen.co.uk/gdpr

Royal Mail, the cruciform and all marks indicated with ® are registered trade marks of Royal Mail Group Ltd. Royal Mail Group Ltd 2018.
Registered Office: 100 Victoria Embankment, London EC4Y 0HQ. © Royal Mail Group Ltd 2018. All rights reserved.

34