GDPR & Posting

Interested in what other firms are doing when it comes to posting documents to clients that contain 'personal data' to meet GDPR rules e.g. suitability reports, application forms etc. Will you be using:

1. Normal postal services e.g. 1st/2nd class
2. Royal Mail Recorded Delivery
3. Royal Mail Special Delivery

Jonny (paraflex)


  • Still considering this Jonny. Head says we should but how many people are actually at home to sign for the documents?

    Gone will be the days of partially completing an application for a client!
  • How does GDPR change the current DPA requirements for the security of hard copy data?

    Benjamin Fabi FPFS
    Chartered Financial Planner 
  • I don't believe there's anything specific about putting letters in the post.
  • JonaJona Member
    GDPR is more about consent to collect, share and how personal data is used.

    Sending something by post can be "assumed" secure as it is illegal to open post not addressed to you without legitimate reason.
  • @benjaminfabi I'm not sure it does as I also can't find anything specific from ICO referencing sending personal data via post as @arongunningham also observes. However, the compliance feedback we're getting seems to be pointing in the direction of sending everything via special delivery.

    Interesting point @Jona re assumed secure stance. Anything you can point me in the direction of to back that up?

    Does anyone have any information from a reputable source confirming one way or the other?

    Jonny (paraflex)
  • Don't have any sources. But our GDPR training was tongue-in-cheek suggesting that we're taking a turn back to using the postal system (assuming, therefore, it's null and void of the new regulation)?

  • I've had a think about this and I'm not going to change our postage - same as it was. The reason it's raised it's head is that we have to report the breach to the ICO in the event of this happening. I'm going to go with us being as sure as we can be with ensuring that the address is correct, and if we report it, then we've done everything we can.

  • @parawhat

    Perhaps you could suggest that your compliance team take a pay cut equal to the cost increases that result from special delivery on everything? :wink:

    I agree with Jona.

    The easy solution to this is to have an explicit opt in to standard 1st/2nd class post as a communication method on your client agreement.

    Benjamin Fabi FPFS
    Chartered Financial Planner 
  • @benjaminfabi Haha!

    Thinking this through. If something went missing in the post, say a suitability report and application pack that contained multiple instances of 'personal data' (some potentially sensitive), would that be reportable as a breach under GDPR rules? It seems open to interpretation whether this needs to be reported as ICO say:

    "What breaches do we need to notify the ICO about?
    When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it."

    Would having sent something by recorded/special delivery result in less scrutiny and/or a lesser fine (if it ever came to that) from the ICO because we had obviously done all we could to send the data securely?

    Jonny (paraflex)
  • On a slight tangent - how about emailing providers a client's LOA - should that be secure now?

  • parawhatparawhat Member
    edited May 2018
    I'd say yes @arongunningham because would include date of birth, NI number, policy numbers, provider name etc. We'd send that using securemail.
    Jonny (paraflex)
  • This is about the only reference I can find from the ICO regarding sending personal data by post. It's a little old (2014), but it is basically saying postal services aren't data processors and therefore the data controller (i.e. the IFA firm) would be responsible for any loss of that post. See para 35 & 38:

    1. The data controller that chooses to use a delivery service to
      transfer personal data is the party responsible for the data. If a
      delivery service loses a parcel containing highly sensitive
      personal data, it is the data controller that sent the data that
      will be responsible for the loss. It was the data controller that
      chose to use the delivery service. If it was vital that the
      personal data was delivered securely, the data controller should
      have used secure delivery rather than an ordinary postal

    Assuming the above is still the case post GDPR, the question then becomes what are the risks (monetary, regulatory, reputational etc) if a piece of post goes missing resulting in a breach. Would the ICO take a harsher view if normal post was used rather than recorded/special delivery?

    I suppose another question is how secure is recorded/special vs standard post and what % of each goes missing.

    Jonny (paraflex)
  • JonaJona Member

    Maybe we just need to add a "data security" filter to our research to only consider firms / products who accept digital signatures / online processing - then the post issue goes away....?

Sign In or Register to comment.