Marketing and business mail in a post-GDPR world

With the introduction of the new GDPR legislation in May 2018, the far reaching implications have concerned and confused many of our business mail customers.
Whilst there was panic before the legislation came into force, in the post-GDPR world we have actually found that it has presented a tremendous opportunity for anyone sending mail to their customers, whether this is standard business mail or promotional. By taking stock of your marketing processes and putting best-quality data practices at the heart of your organisations and campaigns you can take this opportunity to improve your communications, ensuring they are always well targeted and well received.
With a view from both sides, as a Marketing professional and also someone who works for a company providing a GDPR compliant service I've been interested to hear from our Integrated Mailing Solutions (IMS) clients. They have told us that the guidance they have received from events and through online marketing blogs has sometimes been contradictory and even alarmist.
As we witness the biggest regulatory change we have seen in our working lifetimes, it is reassuring to have the ICO confirm that postal marketing doesn't need prior consent. Therefore, even if you are unsure if you have legitimate interest, sending by post can put your mind at ease.

Unsure about what is classed as legitimate interests?
Despite a year of the legislation under our belts as Marketers, it's understandable that there is still confusion about what constitutes "legitimate interests" in relation to direct marketing or contacting customers and when consent is necessary.
The ICO breaks down the assessments into a three-part test:
1. Purpose test: are you pursuing legitimate interests?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual's interests override the legitimate interest?
The ICO then illustrates how legitimate interests can be applied in Marketing with additional reference to the Privacy & Electronic Communications Regulation (PECR) which you must adhere to when you are using electronic channels.
"You won't need consent for postal marketing but you will need consent for some calls and for texts and emails under PECR."
This really is positive news for us Marketers and those who manage business communications as we can expect postal communications to be a safe channel.
You also might find it useful to visit the Direct Marketers Association's GDPR Guides here: or

So what is happening with ePrivacy regulations in the UK?
The draft EU ePrivacy Regulation was published at the beginning of January 2017, it will update and replace the UK's Privacy and Electronic Communication Regulation 2003 (known as PECR). However since then there have been significant delays to its progress and as a result the timescale is unclear. The existing PECR was last updated on 9th January 2019, with some updates to cover changes made by the GDPR. It is worth noting that the law on the Isle of Man follows the same principles of PECR. More information about data protection on the Isle of Man can be found on the Information Commissioner website here:
The current draft proposal mentioned above includes some headline changes:
- It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in
- It incorporates the GDPR's two-tier system of fines of 4 per cent of worldwide turnover, or up to €20 million for breaches of some parts of the Regulation
- It would apply to services providing so-called 'over-the-top' communication channels over the internet, such as Skype, Messenger or WhatsApp
- It would apply to organisations based anywhere in the world if they provide services to people in the EU

How can I use mail and legitimate interests?
The Data Protection Network produced a guide to legitimate interests which includes examples of scenarios in which legitimate interests would be a legal basis for processing personal data, including:
Direct marketing
A charity sends a postal mailshot out to existing supporters, providing an update on its activities and details of upcoming events.

Personal data transferred in an acquisition
A publisher acquires circulation data of several magazine titles in the course of a business acquisition and wishes to use the data for similar purposes to those for which it was originally acquired.

Postal marketing from third parties
A catalogue company adds details to its online order forms which indicate that it shares data with other cataloguers. The purchaser can opt-out of this sharing, and the other cataloguers are listed in the privacy statement.

A travel company relies on consent for its marketing communications, but may rely on legitimate interests to justify analytics to inform its marketing strategy, and to enable it to enhance and personalise the "consumer experience" it offers its customers.

But what about Brexit?
For companies based in the Isle of Man, we'll be aware that in March 2019, Tynwald approved the Data Protection (Withdrawal from the EU) (UK and Gibraltar) Regulations 2019.
This allows for the continuous flow of data into the UK post-Brexit and will remain in place until the UK obtains an adequacy rating from the EU, whereby it will automatically dissolve.

The GDPR opportunity...
Post-GDPR we think the regulation has presented an opportunity to create relationships with customers and prospects that are more transparent and trust based. Hopefully you have found that your clients are a lot more comfortable being contacted by your organisation with the reliability of legitimate interest.
Before GDPR, the ICO's 2016 Annual Tracker study showed that UK adults had "little confidence" in the current state of the data economy and there was some "data-sharing tension" existing between consumers and businesses over privacy protection. They also found that only 3 per cent of the British population were currently unconcerned about sharing personal information.
The GDPR is working to allay this distrust, and as such, it has presented an opportunity for marketers to build improved relationships with their customers and prospects by positively embracing the new powers that the law gives consumers.
Providing an opportunity for your organisation to truly embrace data protection as a brand differentiator – a core value that engenders better, more trusting relationships with consumers; you can use the GDPR as a fundamental building block to improve trust with consumers and create a permission pathway that delivers a better view of each customer as an individual.

How mail could help you thrive in a GDPR world
1. No consent required for postal marketing – Quoting from the Information Commissioners' Office's (ICO) website, 'You won't need consent for postal marketing but you will need consent for some calls, and texts and emails under PECR.' This means that businesses may have some customers that can only be reached by mail, as it is subject to fewer regulations than electronic communication.
2. Fewer regulatory unknowns regarding mail – Mail is not materially impacted by the proposed ePrivacy Regulation, whereas electronic channels are. Therefore, businesses will have less regulatory unknowns when contacting customers by mail, than by electronic channels.
3. Mail is recommended by the Direct Marketing Association to get consent – Some businesses will choose to re-permission some customer segments, and mail is well suited to do this. A few businesses have been fined for contacting their customers by email who had previously opted out of email communication.
4. Mail offers higher response rates than email – In a world where trust and frequency in communications are increasingly important to manage, mail is welcomed by recipients and offers a higher response rate than email*. Customers recognise that mail takes more effort than email. So, when it is used, it reassures them that organisations recognises and values them – that they cared enough to send mail.
5. It is easy to stay in touch via mail – While people are more likely to have multiple email addresses, including ghost addresses, which they do not check; people generally only have one residential or business postal address.

If you are interested in hearing more about how we can assist you in staying compliant and delivering quality customer communications in a highly secure ISO 27001 accredited environment, get in touch with our team of experts today. Either for a chat or arrange a meeting to see what our Business Solutions can do for your organisation, no matter the size or scale. Call us on 698444 or email us on

Share this post


Your Interests: