Loyalty programmes and reward cards are one of the main ways retailers get people’s personal data. They have become a hallmark of the shopping experience, with customers gladly telling organisations their name, address and other information in exchange for occasional perks.
However, things are about to get a lot more complicated. The EU General Data Protection Regulation (GPDR), which comes into effect on 25 May 2018, strengthens individuals’ rights concerning their personal data and introduces strict rules on the way organisations process information.
Here are three ways in which the GDPR will affect loyalty programmes.
1. You can no longer rely on consent
Organisations need a lawful basis to process personal data. Most organisations use consent, but the GDPR discourages this practice by toughening the requirements for lawful consent. It should therefore only be sought where none of the other bases applies.
The most suitable lawful basis when collecting personal data for loyalty programmes is contractual obligation. However, even with this lawful basis there are restrictions on how freely personal data can be processed. The Regulation states that information should be collected for a specific purpose, used only for that purpose and retained for only as long as necessary. If an organisation wants to use the information for something else – such as a marketing email – it will need a separate lawful basis.
2. You must secure your data
The GDPR encourages the use of pseudonymisation and data encryption. Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Like pseudonymisation, encryption obscures information by replacing identifiers with something else. However, whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
3. You need to prepare for individuals’ rights
Individuals have eight rights under the GDPR, including the right to access any data that an organisation holds on them. Although individuals already have many of these rights, very few people make use of them. However, organisations should expect this to change, given the growing awareness of the GDPR and the importance of data protection.
Organisations should prepare for access requests by:
• Creating a clear and simple way in which individuals can submit an access request;
• Establishing a chain of command for who manages requests;
• Making sure that personal data can be accessed promptly; and
• Deleting any personal data that doesn’t meet the GDPR’s requirements.
Anyone responsible for complying with these rights needs to have a good knowledge of the GDPR. You no doubt have legal experts and managers reading up about it, but with such high stakes for managing personal data properly, organisations would benefit from as many qualified employees as possible.
GDPR training courses are therefore essential for anyone who handles EU residents’ personal data. IT Governance offers training courses for those just starting out with the GDPR and those who want more advanced guidance:
Book these courses together in our combination course to save 15%.