Just so I make sure I've not misread the notice, the date of the parking event i

1. Just so I make sure I've not misread the notice, the date of the parking event is the 1st of November and the date of the notice's issuance and posting is the 7th of that month?
2.  
3. If so, you have got a 'golden ticket'. Windscreen issued PCNs must be followed up by a Notice to Keeper which is received by the keeper between 28 and 56 calendar days after the parking event. Given the usual assumption that a letter is received 2 working days after posting, then according to their own evidence, you received it far outside the 28-56 day mandated time period. This time period is set out in Paragraphs 8(4) and 8(5) of Schedule 4 of the Protection of Freedoms Act 2012.
4.  
5. Thus they cannot recover the charge from you in the capacity of the vehicle's keeper (i.e. person given on the V5C). They can only do so from the driver, whose identity they presumably do not know - so do not imply or give the driver's identity under any circumstances!
6.  
7. To get your details as the keeper, they had to apply to the DVLA and use their electronic (automatic) link. Parking companies must do this under a uniform contract known as KADOE and their access to, and use of, keepers' details must be in strict compliance with this contract. If they breach this, they are also breaching the GDPR and Data Protection Act 2018. One of the many requirements is that parking companies only request data where, and at a point when, it is necessary to recover unpaid parking charges in a legally enforceable way.
8.  
9. Therefore, getting your details well outside of the time periods where they would be able to enforce the charge is a breach of their access contract and hence illegal. Then using said illegally obtained data to send you a letter to enforce a charge which they know they cannot enforce because of the early sending of the NTK is also a breach of the access contract and hence also illegal.
10.  
11. When organisations breach the GDPR and/or DPA, they are liable to pay you compensation for all material losses and non-material distress which they thereby cause. Compensation in a case like this might be £100-250 at the current stage, if they drop proceedings now. If they (as I would expect) continue despite knowing they have a hopeless case, then that may rise significantly.
12.  
13. For now I'd make use of your new GDPR rights to obtain a copy of all the personal data they hold on you (Article 15) - including details of when requests to the DVLA were made - and also to object to their processing of your personal data, but demanding they store it for future legal proceedings (Article 18(1)(b)).
14.  
15. They may not charge a fee for either request, but they must comply with them - or give a valid reason as to why they are not complying - 'without undue delay', and in any case in no more than 30 calendar days. If they fail to do this then this represents a further breach which could lead to further compensation and/or damages.
16.  
17. Basically, you have them by the short and curlies. Make the most of it.