The GDPR: How should delivery companies handle personal data?

Delivery companies have become a quasi-Santa Claus for the digital generation. We order things online and rely on drivers (who may or may not have a long white beard) to bring them to us in time for Christmas morning. But it’s not just online shoppers who benefit: those who venture into the high streets might still use delivery companies to send presents to loved ones who they won’t be seeing over the festive period.

But what will things look like next Christmas, with the EU General Data Protection Regulation (GDPR) in effect?

Behind the scenes, the delivery industry will be very different, but we suspect that customers won’t notice too much of a difference.


But I thought the GDPR changes everything?

The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply.

The other lawful grounds are:

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employment contract.
  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions, hospitals and the police.
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.

Delivery companies will almost always be able to use contracts with the individual to collect personal data. It goes without saying that delivery companies need people’s names, addresses and contact information to send packages to their destination and confirm their delivery.

However, they need to make sure they only collect as much data as they need and keep it only as long as necessary. Figuring out how much data you need is relatively simple, but it’s much harder to determine how long “as long as necessary” is.

According to marketing company Epsilon Abacus, brands might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?”

It breaks down that figure for various industries (although not delivery companies), with the timeframe varying between three and a half years and six years and nine months.

However long you decide to keep data, you need a consistent and justifiable timeframe. When making your decision, you should seek legal advice.

For more advice on preparing for the Regulation, read EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide provides an overview of the Regulation and organisations’ compliance requirements.

IT Governance also offers training courses to help organisations learn how the GDPR will affect them. Learn more about our EU GDPR training courses >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.