At the sharp end of GDPR: one print and mail firm is getting ready for May 25

John Orchard, Craig Whiting and Ray Mullis of Alpha Response_2

The new GDPR regulations, aimed at strengthening and unifying data protection for individuals within the EU, are looming.

But while companies are preparing for the new rules coming into force on May 25th, Gloucester print and mail specialist Alpha Response is at the sharp end of the regulations.

Contracted by clients, including six local authorities, to send out high volumes of direct mail, the company is privy to millions of pieces of data on customers and postal voters all over the UK.

That’s why the firm, which is based in the Permali Business Park on the Bristol Road, has become accredited to the ISO 27001 information security standard.

It’s the same standard used by banks and other security conscious industries to protect data in all its forms, including in print.

“Companies need to use suppliers that have data security as a core value and the accreditation to ISO27001 demonstrates our commitment to that,” said John Orchard, marketing manager at Alpha Response.

“Given the sheer volumes of personal data we process here, a breach could have serious ramifications for our clients and ourselves, so it’s essential that our customers and their customers know that we care about protecting the data they supply.

“Of course, as a company it’s also important that people know we’re a safe pair of hands and can be trusted with their data. There’s a lot of concern out there in the business community about whether companies are going to comply with the regulations, so we’re pleased to be able to demonstrate that any threat won’t come through using us.”

The EU General Data Protection Regulation (GDPR) is a new data privacy law being introduced in May this year and is in addition to the outdated Data Protection Act, which came into force in the late 1990s before the dawn of the digital age.

It’s a complete overhaul of the legal requirements for anyone who handles the personal data of EU citizens and is aimed at giving people greater control of how businesses use information about them.

Any business involved in regular “processing” of data – including collecting and storing data – must comply with GDPR. Many of the new obligations were covered off by previous legislation but there are a number of new responsibilities.

These can include the appointment of a Data Protection Officer for organisations who carry out large scale data processing, strict new reporting procedures following a data breach and changes to the nature of consent, so citizens will need to opt in to their data being used, rather than opting out.

GDPR will be enforced by large fines for non-compliance – up to 20 million Euros or four per cent of a company’s global turnover. The other risks of data breaches, such as revenue loss, negative reputation, remediation cost, customer notification expense and loss of client trust, all still apply.

Mr Orchard said: “Ironically – and fortunately for us – direct mail is one area where business can use a legitimate interest assessment rather than needing opt-in consent for legally processing data. This is unlike electronic communications where, as now, opt-in is specifically required.

“The Information Commissioner’s Office view is that businesses won’t need consent for postal marketing where the company can demonstrate it has a legitimate interest in processing the data, if there is no other way to fulfil the interest, if the use of data is proportionate and the marketing has a minimal privacy impact, and if people would not be surprised or likely to object to what they receive.

“So direct mail remains a safe and viable way for businesses to connect with existing and prospective customer databases, as long as those efforts can pass the assessment.”

The UK will be a full member state of the EU when GDPR comes into force and indications suggest that its principles will be implemented following Brexit.

For further detail on the potential consequences of not complying to GDPR visit the ICO website at