Data Protection

GDPR and Direct Mail Marketing  

The GDPR is fundamentally about how data is collected and used. The core principle – that consumers have the right to be in control of their personal information - covers all types of marketing activity. GDPR addresses the fact that far more data about individuals is generated, captured and processed nowadays than when the Data Protection Act was drawn up in 1998.

Click here to read our Data Processing Agreement

Click here to read our Privacy Policy

Keep calm and carry on sending mail? In essence, yes.

Communicating to customers by Direct Mail – whether sending an account statement or a marketing promotion – is designated in law as being in the 'legitimate interest' of the company and customer.

This means you don’t have to go out and get their permission unless they have specifically asked to be removed from marketing communications.

You will still need to offer customers the opportunity to opt out of marketing mail, and will need to provide complete transparency about how you intend to use their information to fulfil both the letter and the spirit of the law.

Knowing how GDPR works is important as it may influence your current marketing strategies. What is important is the information posted on the FAQ section of the ICO which states: “You won’t need consent for postal marketing … you can rely on legitimate interest for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”

A simple test, a “Legitimate Interests Assessment” (LIA), is all that’s needed to demonstrate compliance and keep you on the right side of the regulations. There’s no actual template for the LIA, but it boils down to three essential elements and you’ll need to:

  1. Identify a Legitimate Interest: So, why do you want to process the data and what are you hoping to achieve by doing so, including the benefits and the importance of these.
  2. Carry out a Necessity Test: Does your processing further the interest identified above, and is it reasonable and the least intrusive method?
  3. Carry out a Balancing Test: Consider the impact of your processing and whether this overrides the interest you have identified.

In other words, when contacting someone by post, consent from the person is not required and legitimate interest can be used so long as your marketing is minimally intrusive and relevant to the recipient. You won’t need to obtain their permission (unless an individual has specifically asked to be removed from marketing communications). You will still need to offer customers the opportunity to opt out of marketing mail and will need to be transparent in how you intend to use their information, but the key thing to realise is that you can continue, or begin, talking to customers using mail without any problem.

As guidance when sending direct mail, bear the following few points in mind:

  1. Be clear of the benefit to the end customer and be able to demonstrate this potential benefit;
  2. Ensure no harm or distress is caused to the customer;
  3. Identify the most responsive audience and conduct regular audits of personal data to ensure it remains up to date;
  4. Make it easy for customers to opt out of marketing campaigns, and ensure that those who have requested to opt out are not included in future campaigns;
  5. To ensure the integrity, confidentiality and security of personal data sent for processing, it is strongly recommended taking practical steps such as adding passwords to data files and deleting data once it is no longer required.

Useful Links:

Information Commissioner's Office:

Data Protection Network:

UK Fundraising:

GDPR and Postforce

What does GDPR cover?

GDPR concerns Personally Identifiable Information (PII), which is simply defined as “any information relating to an identified or identifiable natural person (“data subject”). Fundamentally, PII is any information which, either on its own or in combination with other available information, can identify a living individual. Traditionally, this might have been a name and address, mobile telephone number, email address, National Insurance Number, etc. GDPR extends this definition further to cover online identifiers such as IP addresses, cookies and other IDs associated with personal computing devices such as laptops, PCs and mobile phones.

Who does GDPR apply to?

GDPR applies to any organisation which collects, stores, processes or uses personal data, regardless of whether that data is stored in paper form or electronically. Two types of role are defined: “data controllers” - who collect personal data and determine its use (for example, a football club which compiles a database of its members’ details) and “data processors” – who carry out processing of personal data under the direction of the data controller, (for example a mailing house or email service provider sending out communications to members on behalf of the football club). Organisations can fulfil more than one role depending on the types of data they collect and process.

Postforce Ltd acts as a “data processor” when using personal data supplied by organisations for the sole purpose of generating marketing mail.