Data Protection at Royal Mail Group

Royal Mail takes its data protection responsibilities seriously. Our Data Protection and Privacy Policy outlines how we work together to manage our compliance obligations under data protection laws. This policy is supported by robust internal processes and procedures. Our policies are managed by the Company Secretary and reviewed and signed-off by Royal Mail Group’s Audit and Risk Committee annually, as part of our governance processes. 

Our internal policies for information security and data protection are designed to meet the regulatory requirements of UK GDPR, as well as the other data protection obligations with which we must comply, including under postal services legislation. Our Data Protection and Information Security policies and standards follow industry frameworks and best practice, such as ISO 27001, and ICO Accountability requirements.

We are strongly committed to safeguarding the data of our customers, employees and our business.  We have implemented technical controls with the objective of protecting the data that we hold. These controls include access controls and encryption to protect data and systems, as well as security event detection systems.  We have procedures in place to deal with security incidents should they occur, and we continuously monitor potential threats. We test, assess, and evaluate the effectiveness of our security measures regularly.

For information about what personal data we use, how we process it, and why, see our Crystal Clear accredited Customer Privacy Notice on our website.

Royal Mail Group has a dedicated Data Protection Officer and team, in line with its legal obligations. Royal Mail Group is advised by experienced lawyers, and regulatory and technical compliance experts, and has in place appropriate and proportional technical and organisations measures to ensure it meets its obligations under data protection laws. Royal Mail Group has dedicated Cyber Security and Data Protection teams who are responsible for providing support and advice to the business in relation to privacy, data protection, information governance and information security.

Royal Mail Group takes its role as a data controller seriously. We proactively engage with the ICO (the UK’s Data Protection Regulator) to ensure our practices and prompt handling of privacy enquiries is done in the right way, protecting the rights and freedoms of the individuals whose personal data we hold. This open communication benefits our customers and colleagues and ensures efficient management by Royal Mail Group.

Royal Mail Group’s role as a data controller

Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller. We are registered as a Data Controller with the ICO, under registration: Z5374624.

This position is supported by ICO guidance which provides 2 examples of the relationship between a sending customer and its delivery partner

We sometimes receive data protection questionnaires from customers who have assumed we are acting as their data processor when delivering mail, which in most cases is incorrect. Where we act as a controller, we take on controller responsibilities and manage this data in line with Royal Mail’s Data Protection Compliance framework, and therefore do not provide detailed responses to such questionnaires.

Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller.

Mail integrity

Royal Mail Group takes the security of our customers’ mail very seriously. We have robust approaches to the security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers. The security and integrity of mail services is regulated by Ofcom and we comply with the Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed.

Ensuring our people are aware of the need for data protection, security, and integrity of mail form a central part of recruitment, induction, training and daily activities, including our vetting standards extend to suppliers.

Sub Contractors

Where we sub-contract personal data processing to 3rd party data processors, we require appropriate due diligence to be performed prior to onboarding. This is to ensure our third-party suppliers adhere to and uphold Royal Mail Group’s security and privacy standards. This process is managed by Procurement, Cyber Security and Data Protection teams and any issues identified are reported through supplier managers to the Data Protection Office for advice and appropriate treatment and remediation.

Processing outside of the UK

In addition to International Mail delivery, Royal Mail Group may need to transfer personal data about customers to third parties located outside the UK. Where we do this, we conduct transfer risk assessments and work with our internal lawyers, Cyber security experts and Procurement teams to put suitable safeguards in place to protect the information transferred including standard contractual clauses and supplementary measures. We are committed to being recognised as the best delivery service in the UK and across Europe. Our Data Protection Officer is a member of the International Postal Corporation’s Data Protection Oversight Committee.

Policies and Standards

Royal Mail Group ensures that it consistently applies best practice across the organisation when handling personal data. A set of policies surrounding privacy and information security govern how it’s people, third parties and systems manage and protect personal data. These policies are supported by detailed standards which have been created by industry experts building trust into the heart of the design.

Data Retention 

Royal Mail Group has a Corporate Retention Schedule and supporting policies and procedures outlining the data retention requirements of the different record series we hold, plus secure data disposal/ destruction on expiry to comply with its legal and regulatory obligations. Royal Mail Group retains data in line with business and operational needs, or to meet legal requirements.

Data Protection Training

All employees joining Royal Mail Group are required to complete data protection induction training within three weeks of joining the business and thereafter annual refresher training. On an annual basis, employees are required to attest to having read, understood and agree to comply with the information in the training courses which is underpinned by our Data Protection and Information Security policies. The completion rate for 2024-2025 annual e-learning data protection and information security training was 98.7%. Our aspiration is 100% and our target is 96% because at any one time there are colleagues absent due to maternity leave, long-term sickness, or new joiners who are still working through their induction. Royal Mail Group’s award-winning Data Protection and Information Security Awareness and Education program, Think Secure, runs business-wide campaigns and tailored training for teams throughout the year to refresh knowledge and remind all colleagues of their responsibilities and our secure privacy practices.

Privacy by Design

Royal Mail Group’s has embedded Privacy by Design and By Default into the organisations’ Change Management Lifecycle. All projects are required to complete a Privacy Impact Assessment which ensures privacy requirements are embedded in everything we do. This is supported by a set of Privacy by Design requirements which must be met by when processing personal data. These requirements are aligned to guidance from the ICO and have been authored by privacy professionals within the business. Royal Mail Group is also advised by Cyber Security experts to ensure appropriate and proportional technical controls are designed and implemented to protect the personal data we hold.

Assurance and Audit

To assess and assure data protection compliance, Royal Mail Group has a 2nd line Privacy Assurance team and program to ensure the technical and organisational measures that protect personal data are fit for purpose and operationally effective. Royal Mail Group’s privacy assurance function adopts a prioritised, risk-based approach to assuring its systems, supply chain, and personal data processing activities within the Group. In line with ICO guidance and industry best practice standards, Royal Mail Group holds itself and its partners to account to protect all personal data and adhere to compliance responsibilities. The outputs of assurance assessments are reported to the DPO, 1^st line business areas and 3^rd line Risk & Audit.

Data Protection internal audits are completed by the Internal Audit team periodically. Royal Mail’s Data Protection Governance Framework and Programme was independently audited in 2023-2024

Artificial Intelligence

Royal Mail Group recognises AI developments such as Gen AI have greatly improved technology capabilities to deliver value for customers and colleagues. The use of AI presents certain risks that need to be managed and IDS (Royal Mail Group and GLS) have agreed 6 principles to ensure we are using AI in the best and safest way to protect our customers and colleagues. In Royal Mail Group, this is supported by the AI Governance Framework, policy and supporting process.