Please note: This is post is an overview of GDPR based on research and publicly available information. It is NOT an official guide on how to become GDPR compliant. You should not take this post as legal advice. If you believe your program needs help to become GDPR compliant, please reach out to a legal professional.
If you’re wondering why every brand you interact with online is sending you notices letting you know they’ve updated their Terms and Conditions and/or Privacy Notices, here’s a hint. It’s probably because of GDPR.
What is the GDPR?
The General Data Protection Regulations (GDPR) was officially created in December 2015 by the EU to set in place basic data protection standards for every EU and UK citizen. EU and UK companies and any companies who do business with the EU & UK and/or EU & UK citizens need to comply with the new regulations. It’s supposed to officially take effect on May 25th 2018. And that deadline is growing worryingly close for many brands.
Every company might have their own set of protection processes for consumer data. But now there will be one set of uniform regulations in place across the board for all Eu and UK citizens. These regulations will affect any individual or business who collects personal data from consumers.
The GDPR defines personal data as any information where you can learn the identification of the user. So for example, cell phone numbers and personal emails — like JohnDoe@gmail.com — are considered personal data and fall under GDPR. Meanwhile, a mainline office number or a generic email — marketing@GDPR.com for example — is not considered personal data.
So Who Does GDPR Apply To?
The central question asked about the GDPR is — who cares?
Or more specifically, how does the GDPR apply to me?
Well if you’re an EU or UK individual, that means any business that collects your personal data is now under new regulations to protect your data. (More details to come)
On the flipside, if you’re a business or individual who collects the personal data of an EU or UK citizen, you are now required to comply with the GDPR – even if you are not an EU or UK business.
Specifically, you need to be GDPR compliant if you:
- Are located within the EU/UK or work with companies in the EU/UK
- Offer free or paid-for good & services to individuals within the EU and the UK
- Monitor individuals within the EU or UK – including online monitoring.
At first glance, you might not think that you’re is required to be compliant because your consumer base is primarily in the US. But let’s say you’re an individual who runs a lifestyle blog and also sends out a bi-weekly newsletter to an email mailing list built from people who have signed up on your website. If one or more of those individuals are from or EU or UK, or if you use Google Analytics to track where your blog traffic is coming from, you are now required to comply with GDPR. Even though you are a simple blogger.
Now imagine how greater the odds are that you have EU or UK citizens among your client base if you are a larger business with more digital scope and product offerings. This includes loyalty programs.
If you run a loyalty program with international customers, you need to seriously determine whether or not you will need to become GDPR compliant. Consider 1) the details of your existing customer base and 2) whether your loyalty program is currently available to EU or UK citizens, or if you plan to become available in the future.
How Do I Know If My Program Needs To Become GDPR Compliant?
Here’s more details to help break down exactly where your loyalty program could fall under the GDPR spectrum. A Data Subject in the GDPR dictionary is anyone who provides a company with personally identifiable information, whether it’s for shopping purposes, applying for jobs, or engaging in an online service.
The Data Controller is the company who receives the data, and processes the data to provide you with goods and/or services you’re wanting.
So then if the Data Controller utilizes an outside supplier to provide the promised goods and/or services, and thus passes the Subject’s personal data to the outside supplier, the supplier then becomes the Data Processor.
Under original protection laws, only Data Controllers needed to comply with privacy requirements. Under GDPR, both Data Controllers and Data Processors need to be compliant. Which means anyone who interacts with the personal data of UK or EU citizens needs to be GDPR compliant.
If your due diligence reveals your loyalty program falls under GDPR requirements, then here are some tips to help get you started on your compliance journey.
What Are The New Regulations?
The GDPR requirements can be broken down into simple concepts, although the actual details are more substantial.
Right to be Informed
Transparency and consent are the major items on the new list of regulations. You must tell users how their data will be used and obtain their permission for collecting their data. You also need to ensure your process for obtaining user consent is simple and straightforward.
Consent is no longer allowed to be implied by the user — meaning you cannot assume the user is giving their consent for you to collect their data simply because they’re using your platform. Now, positive opt-ins are required and need to be completely separate from the complicated legal jargon of the normal T&Cs so users can clearly understand what it is they’re opting-in to receive. If you’re collecting user data then you need to clearly explain how you intend to use the data. If you change how you use personal data you must inform the consumer. You also need to ensure the user understands their rights to recant their consent at any time. This all must be clearly labeled out and available to the user on your website or platform.
This isn’t just for new loyalty member opt-ins. If your original consent requests for gathering consumer data didn’t meet the GDPR standards, you’ll need to resend consent requests to all your current EU/UK consumers.
Which brings us to our next point:
Right to Access, Rectify, and Erasure
GDPR is intent on strengthening the rights of individuals over their own data. This includes the ability for users to access, correct, and erase their information. You’re probably familiar with the infamous “right-to-be-forgotten” court cases for Google.
Consumers now have the right to withdraw their information from your database. We’ll note this is not yet an absolute right, but you still need to be prepared to do so upon request. This means you need to organize your database and your data-handling processes so you can find and remove information easily. You have one month once you receive a request to completely remove the individual’s information. If you don’t have procedures in places to make either situation happen, you should begin developing your processes. This may include updating your database, providing a venue for consumers to submit their withdrawal requests, and training current employees or hiring new ones to cover these requests.
Data – Protection and Portability
The GDPR is a good opportunity for your organization to review it’s loyalty program data. Specifically, you should know:
- What kind of data does your loyalty program handle and where does it comes from?
- How does your program collect data? How do you store data? Is it encrypted?
- Are you keeping accurate and updated records, or is your information spotty and old?
Prior protection regulations used to only hold data controllers liable when it came to data protection. Now GDPR makes data processors compliant as well. If you collect any kind of user data, you need to ensure your protective measures are in top shape.
Two things to note
- If you experience a data breach, you must inform your users within 72 hours of discovery that their information might be compromised.
- You, as a Data Controller, can be held liable for any breaches if it’s shown that your program isn’t secure and that you did not follow the proper procedures for protecting user information.
If you’re not 100% certain you know every kind of user data your program collects, now’s the time for you to learn those details. You’ll have a more solid footing on how GDPR affects you and the steps you need to take to become compliant.
Additionally, consumers have the right to data portability, which means they can request the information they supplied to a Data Controller be forwarded on to other Controllers. This is primarily for when consumers want to switch service providers, such as cable providers.
How Can I Make Sure My Loyalty Program Is Compliant?
Here’s some good news: loyalty programs are already closer to being GDPR compliant than most people probably realize. The very nature of loyalty programs makes it clear brands are engaging in a value-exchange with their program members. This means consumers understand their information is going to be used for rewards purposes. In most loyalty programs consumers must opt-in before they can begin utilizing the program or receive program communications. If your loyalty program needs to become GDPR compliant, you just need to make sure your communications and protections are meeting the required standards.
You can find those standards and more details on the UK’s Information Commissioner’s Office website here.
As we said before, this is just a quick overview of GDPR standards. You shouldn’t consider this as 100% comprehensive of the General Data Protection Regulations. You should utilize your legal counsel and review the specific requirements of the GDPR.
If your program is not required to be GDPR compliant, then congrats! However, it would still benefit you to review your privacy terms and data protection. Part of the reason while individuals remain loyal to a brand is because of established trust. You should take preemptive measures to assure your customers that you’re taking their security seriously.