Data Protection at Royal Mail Group

Royal Mail Group’s approach to data protection

Royal Mail Group takes its data protection responsibilities seriously. Our Data Protection and Privacy Policy outlines how we work together to manage our compliance obligations under data protection laws. This policy is supported by robust internal processes and procedures. Our policies are managed by the Company Secretary and reviewed and signed-off by Royal Mail Group’s Audit and Risk Committee annually, as part of our governance processes.

Our internal policies for information security and data protection are designed to meet the regulatory requirements of UK GDPR, as well as the other data protection obligations with which we must comply, including under postal services legislation. Our Data Protection and Information Security policies and standards follow industry frameworks and best practice, such as ISO 27001, and ICO Accountability requirements.

We are strongly committed to safeguarding the data of our customers and colleagues. We have implemented technical controls with the objective of protecting the data that we hold. These controls include access controls and encryption to protect data and systems, as well as security event detection systems. We have procedures in place to deal with security incidents should they occur, and we continuously monitor potential threats. We test, assess, and evaluate the effectiveness of our security measures regularly.

For information about what personal data we use, how we process it, and why, see our Crystal Clear accredited Privacy Notice on our website. (or our People Privacy Notice for colleagues’ personal data).

Royal Mail Group has a dedicated Data Protection Officer and team responsible for advising the business in relation to privacy and data protection, in line with its legal obligations. Royal Mail Group is advised by experienced lawyers, and regulatory and technical compliance experts, and has in place appropriate and proportional technical and organisational measures to ensure it meets its obligations under data protection laws. Royal Mail Group also has a dedicated Cyber Security team who, along with the Data Protection Team, is responsible for providing support and advice to the business in relation to information governance and information security.

Royal Mail Group takes its role as a data controller seriously. We proactively engage with the ICO (the UK’s Data Protection Regulator) to ensure our practices and prompt handling of privacy enquiries is done in the right way, protecting the rights and freedoms of the individuals whose personal data we hold. This open communication benefits our customers and colleagues and ensures efficient management by Royal Mail Group.
 

Royal Mail Group’s role as a data controller

Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller. We are registered as a Data Controller with the ICO, under registration: Z5374624.

This position is supported by ICO guidance on the relationship between a sending customer and its delivery partner.

We sometimes receive data protection questionnaires from customers who have assumed we are acting as their data processor when delivering mail, which in most cases is incorrect. Where we act as a controller, we take on controller responsibilities and manage this data in line with Royal Mail’s Data Protection Compliance framework and therefore we do not provide detailed responses to such questionnaires.
 

Mail integrity

Royal Mail Group takes the security of our customers’ mail very seriously. We have robust approaches to the security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers. The security and integrity of mail services is regulated by Ofcom, and we comply with the Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed.

Ensuring our people are aware of the need for data protection, security, and integrity of mail forms a central part of recruitment, induction, training, and daily activities, including our vetting standards, which extend to suppliers.
 

Sub-contractors

Where we sub-contract personal data processing to 3rd party data processors, we require appropriate due diligence to be performed prior to onboarding. This is to ensure our third-party suppliers adhere to and uphold Royal Mail Group’s security and privacy standards. This process is managed by Procurement, Cyber Security and Data Protection teams, and any issues identified are reported through supplier managers to the Data Protection Office for advice and appropriate treatment and remediation.
 

Processing outside of the UK

Where personal data is transferred to third-party data processors located outside the UK, Royal Mail Group conducts transfer risk assessments where appropriate.

We work closely with our internal lawyers, cyber security experts, and Procurement teams to put suitable safeguards in place to protect the information transferred including standard contractual clauses and supplementary measures. We are committed to being recognised as the  go-to delivery service in the UK and across Europe. Our Data Protection  leaders are members of both the International Postal Corporation’s Data Protection Oversight Committee and PostEurop’s Data Protection Working Group as we are fully engaged in setting industry best practices.
 

Policies and Standards

Royal Mail Group ensures that it consistently applies best practice across the organisation when handling personal data. A set of policies surrounding privacy and information security govern how its people, third parties and systems manage and protect personal data. These policies are supported by detailed standards which have been created by industry experts building trust into the heart of the design.
 

Data retention

Royal Mail Group has a Corporate Retention Schedule and supporting policies and procedures outlining the data retention requirements of the different record series we hold, plus secure data disposal/destruction on expiry to comply with its legal and regulatory obligations. Royal Mail Group retains data in line with business and operational needs, or to meet legal requirements.
 

Data Protection Training

All colleagues  joining Royal Mail Group are required to complete data protection induction training within three weeks of joining the business and thereafter annual refresher training. On an annual basis, colleagues  are required to attest to having read, understood and agree to comply with the information in the training courses which are underpinned by our Data Protection and Information Security policies. The completion rate for 2025-2026 annual e-learning data protection and information security training was 98.3%. Our aspiration is 100% and our target is 96% because at any one time there are colleagues absent due to maternity leave, long-term sickness, or new joiners who are still working through their induction. Royal Mail Group’s award-winning Data Protection and Information Security Awareness and Education Program, Think Secure, runs business-wide campaigns and tailored training for teams throughout the year to refresh knowledge and remind all colleagues of their responsibilities and our secure privacy practices.
 

Privacy by Design

Royal Mail Group has embedded Privacy by Design and by default into the organisation’s Change Management Lifecycle. A Privacy Impact Assessment (PIA) is required for any project that involves the processing of personal data or has the potential to impact individuals’ privacy. This ensures that privacy risks are identified at an early stage and that appropriate safeguards are integrated throughout the project lifecycle. The process is further supported by a set of Privacy by Design requirements, which must be met when processing personal data. These requirements are aligned to guidance from the ICO and have been authored by privacy professionals within the business. Royal Mail Group is also advised by Cyber Security experts to ensure appropriate and proportional technical controls are designed and implemented to protect the personal data we hold.
 

Assurance & Audit

To assess and assure data protection compliance, Royal Mail Group has a 2nd line Privacy Assurance team and program to ensure the technical and organisational measures that protect personal data are fit for purpose and operationally effective. Royal Mail Group’s Privacy Assurance function adopts a prioritised, risk-based approach to controls assurance across  its systems, supply chain, and personal data processing activities within the Group. In line with ICO guidance and industry best practice standards, Royal Mail Group holds itself and its partners to account to protect all personal data and adhere to compliance responsibilities. The outputs of assurance assessments are reported to the DPO, 1st line business areas and 3rd line Risk & Audit.

Data Protection internal audits are completed by the Internal Audit team periodically. Royal Mail’s Data Protection Governance Framework and Programme was independently audited in Jan 2024.
 

Artificial Intelligence (AI)

Royal Mail Group recognises AI developments such as Generative AI have greatly improved technology capabilities to deliver value for customers and colleagues. Along with its wider group of companies, Royal Mail Group  has agreed 6 principles to ensure we are using AI in the most responsible and safest way to protect our customers and colleagues. In Royal Mail Group, this is supported by the AI Governance Framework, policies and supporting processes. In 2025 we introduced a training programme to educate our colleagues on responsible use of data and AI.