General Data Protection Regulation (GDPR)

Royal Mail is committed to high standards of information security, privacy and transparency and will comply with the General Data Protection Regulation (GDPR).

General Data Protection Regulation (GDPR)

Royal Mail is committed to high standards of information security, privacy and transparency and will comply with the General Data Protection Regulation (GDPR).

The overall approach at Royal Mail Group to data protection

We have numerous data policies, procedures and processes in place to manage compliance with data protection law. Internal policies are managed by the Company Secretary and signed off by senior executives as part of our standard governance process. These internal policies relate to information security and data protection, all of which have been reviewed and updated in-line with GDPR.

You can view our privacy notice on our website, which you can find here: https://www.royalmail.com/privacy-notice.

Royal Mail Group is advised by experienced lawyers and regulatory experts and has developed appropriate procedures and processes for each service. Royal Mail has a dedicated Information Security team and an Information Rights and Governance team which are responsible for providing support to the business in relation to privacy, data protection compliance, information governance and record management. Royal Mail Group also has its own Data Protection Officer.

We strive to ensure the protection of all the personal data on our customers, as well as all other information we hold so that we have the trust of our customers and regulators when we innovate and use the information we hold in new ways.

Our role as a data controller

Where Royal Mail Group is requested to deliver mail or parcels (including where an organisation provides personal data as ‘pre-advice’ for delivery purposes) we take the view that we are acting as the data controller for these services. This is backed by the ICO’s guidance here. Paragraph 39 states:

‘…the delivery service will be a data controller in its own right in respect of any data it holds to arrange delivery or tracking for example, such as individual senders’ and recipients’ names and addresses and in respect of its own staff records and so forth.'

We sometimes receive GDPR questionnaires from organisations which have assumed that we are acting as their data processor when delivering mail, which in the majority of cases is incorrect. Where we act as a controller we take on controller responsibilities and therefore do not intend to provide detailed responses to those questionnaires.

Mail integrity

Royal Mail takes the security of our customers’ mail very seriously. We have robust approaches to security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers.

Ensuring our people are aware of the requirements for the security and integrity of the mail form a central part of our recruitment, induction, training and day to day activities. The security and integrity of mail services is regulated by Ofcom. Royal Mail and other postal operators have to comply with a Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed: https://www.ofcom.org.uk/postal-services/information-for-the-postal-industry/conditions.

Data retention

Royal Mail Group has internal data retention policies which cover the requirements for data retention and secure disposal/destruction of information waste in compliance with the Group’s legal and regulatory obligations.

Sub-contractors

The Group sub-contracts some of its personal data processing to external data processors. Prior to appointment, our sub-contractors go through a detailed security audit and must adhere to the Royal Mail Group information security policies. Any compliance issues are reported through the relevant supplier manager to Group Compliance for advice and then escalated appropriately.

Processing outside of the European Economic Area (EEA)

Royal Mail Group may need to transfer personal data about customers to third parties located outside the UK. If we do, we will ensure that data is protected to a level which meets the requirements of UK law. We are committed to being recognised as the best delivery service in the UK and across Europe.