Secure Data Transfer and Protection

At Postforce, we take data security very seriously and we ask clients to send data to us using our preferred safe system – dataXchange (end-to-end AES 256 military grade encryption). DataXchange is an information management system which meets the requirements of ISO 27001:2013. The system is certified by the British Assessment Bureau (Certificate No: 211778)
Please contact us for details of how to securely transfer your address data to us.

About dataXchange:
ISO27001:2013 Information Security Management System
dataXchange is an information management system which meets the requirements of ISO 27001:2013. The system is certified by the British Assessment Bureau (Certificate No: 211778)
Amazon S3 Data Centres:
Your files are stored on servers in Amazon S3 Data Centres. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.
Penetration Testing:
dataXchange undergoes regular penetration testing. All our security assessments are performed by external security consultants, using UK industry-approved methodologies (NIST, OWASP, PTES) that meet or exceed the requirements set by regulatory & compliance standards such as PCI DSS 3.2
Data Protection & Encryption
dataXchange provides end-to-end AES 256 military grade encryption to ensure your data is protected in transit (as it travels to and from dataXchange) and at rest (while it is stored within dataXchange). Your files are encrypted on upload and download from dataXchange, by using HTTPS. At rest, your files are encrypted using AES 256 encryption within Amazon S3 data centres.
Password Security
Passwords are not available to anyone but the intended user. In the event a password is forgotten, users can request a new auto-generated password.
Password Format - Minimum 10 characters, Alpha Numeric with Mixed Case.
Authentication Throttling - After 3 unsuccessful password attempts, account locks out for 5 minutes.
Inactivity - After 60 minutes of inactivity users are automatically logged out.
Browser Close – Users are automatically logged out when your web browser is closed.

Minimisation
Users control when files are deleted from dataXchange on upload, however these can be manually deleted by users. Limits are placed on how much data can be stored.
Additional User Security Tips:
Additional measures can be taken by clients to keep data transfers as secure as possible, including:
Encrypting your own data or using password protected zip files, which is effectively double-encrypting;
Users should not share their passwords;
Don’t use browser password remember functions;
Log out of dataXchange when not in use;
Delete files in dataXchange when they are no longer needed.

 

GDPR and Direct Mail Marketing  

The GDPR is fundamentally about how data is collected and used. The core principle – that consumers have the right to be in control of their personal information - covers all types of marketing activity. GDPR addresses the fact that far more data about individuals is generated, captured and processed nowadays than when the Data Protection Act was drawn up in 1998.

Click here to read our Data Processing Agreement

Click here to read our Privacy Policy

Keep calm and carry on sending mail? In essence, yes.

Communicating to customers by Direct Mail – whether sending an account statement or a marketing promotion – is designated in law as being in the 'legitimate interest' of the company and customer.

This means you don’t have to go out and get their permission unless they have specifically asked to be removed from marketing communications.

You will still need to offer customers the opportunity to opt out of marketing mail, and will need to provide complete transparency about how you intend to use their information to fulfil both the letter and the spirit of the law.

Knowing how GDPR works is important as it may influence your current marketing strategies. What is important is the information posted on the FAQ section of the ICO which states: “You won’t need consent for postal marketing … you can rely on legitimate interest for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”

A simple test, a “Legitimate Interests Assessment” (LIA), is all that’s needed to demonstrate compliance and keep you on the right side of the regulations. There’s no actual template for the LIA, but it boils down to three essential elements and you’ll need to:

  1. Identify a Legitimate Interest: So, why do you want to process the data and what are you hoping to achieve by doing so, including the benefits and the importance of these.
  2. Carry out a Necessity Test: Does your processing further the interest identified above, and is it reasonable and the least intrusive method?
  3. Carry out a Balancing Test: Consider the impact of your processing and whether this overrides the interest you have identified.

In other words, when contacting someone by post, consent from the person is not required and legitimate interest can be used so long as your marketing is minimally intrusive and relevant to the recipient. You won’t need to obtain their permission (unless an individual has specifically asked to be removed from marketing communications). You will still need to offer customers the opportunity to opt out of marketing mail and will need to be transparent in how you intend to use their information, but the key thing to realise is that you can continue, or begin, talking to customers using mail without any problem.

As guidance when sending direct mail, bear the following few points in mind:

  1. Be clear of the benefit to the end customer and be able to demonstrate this potential benefit;
  2. Ensure no harm or distress is caused to the customer;
  3. Identify the most responsive audience and conduct regular audits of personal data to ensure it remains up to date;
  4. Make it easy for customers to opt out of marketing campaigns, and ensure that those who have requested to opt out are not included in future campaigns;
  5. To ensure the integrity, confidentiality and security of personal data sent for processing, it is strongly recommended taking practical steps such as adding passwords to data files and deleting data once it is no longer required.

Useful Links:

Information Commissioner's Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Data Protection Network: https://www.dpnetwork.org.uk/wp-content/uploads/2017/09/DPN-Guidance-A4-Publication.pdf

UK Fundraising: https://fundraising.co.uk/2018/02/02/ico-gives-charities-new-reason-optimistic-gdpr/?utm_content=buffer05a19&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer#.WnsuNUx2vct

GDPR and Postforce

What does GDPR cover?

GDPR concerns Personally Identifiable Information (PII), which is simply defined as “any information relating to an identified or identifiable natural person (“data subject”). Fundamentally, PII is any information which, either on its own or in combination with other available information, can identify a living individual. Traditionally, this might have been a name and address, mobile telephone number, email address, National Insurance Number, etc. GDPR extends this definition further to cover online identifiers such as IP addresses, cookies and other IDs associated with personal computing devices such as laptops, PCs and mobile phones.

Who does GDPR apply to?

GDPR applies to any organisation which collects, stores, processes or uses personal data, regardless of whether that data is stored in paper form or electronically. Two types of role are defined: “data controllers” - who collect personal data and determine its use (for example, a football club which compiles a database of its members’ details) and “data processors” – who carry out processing of personal data under the direction of the data controller, (for example a mailing house or email service provider sending out communications to members on behalf of the football club). Organisations can fulfil more than one role depending on the types of data they collect and process.

Postforce Ltd acts as a “data processor” when using personal data supplied by organisations for the sole purpose of generating marketing mail.