According to KPMG’s Privacy Advisory in October 2016, it reveals that on average globally, 56% of people are “concerned” or “extremely concerned” about the way companies handle and use their personal data. This ranges from identity theft regularly seen in news headlines, giving a real sense that ‘big brother is watching’.
By Charlie Hill
Therefore, it’s no surprise that the EU has acted with the enforcement of GDPR and ensuring all businesses must comply. Entailed is a view of GDPR including how GDPR and brand partnerships benefit your loyalty programme accompanied by an essential step by step guide to GDPR.
Top 3 reasons why GDPR can help your loyalty programme
- Through asking for consent and being completely transparent to your customer, it encourages your customer to engage with your brand, meaning they will want to hear from you, whilst creating an interest in your brand building greater loyalty and ambassadorship.
- Enforcing GDPR provides an opportunity for you to reappraise your system, create an inventory of data, provide a greater understanding of how your business uses data and where it can create the most value.
- Your databases will be super-efficient, organised and you will only hold the data that is integral to your market andyour customers.
‘How brand partners can help you win at GDPR’
The main challenge brands are facing, is hitting the May 2018 deadline, retaining valuable customer data. Brand partnerships can help greatly with this, by working with other brands to offer your customers a gift or reward in return for them sharing their data, partners can enable you to hit that and show your customers that a reward means you value them sharing their personal information with you.
Step by step guide to GDPR and what you need to know.
Why you need to act now: It is known that there will be no grace period before enforcement of GDPR begins in May 2018 and GDPR will apply to UK companies even after Brexit. Even if that was revoked, companies doing business in the EU or engaging customers within the EU will still have to be compliant, this applies globally.
Understanding personal data: What you need to know.
What is personal data:
It means any information that relates to an identified or identifiable individual. If you can identify your customers online, GDPR applies. Even if you don’t know obvious identifiers such as name or email address, something like geolocation or a social media handle still falls under GDPR regulations.
The more data you gather and store, the more this increases the risk of a customer being identified. Aggregating a number of identifiers such as postcode, age and gender could indirectly identify an individual. Remember that there are also sensitive categories of personal data that must be protected such as Racial/ethnic origin, political opinions, religious beliefs, Trade Union membership, genetic/biometric data, health & sexual orientation.
When collecting data, under GDPR it must be collected for specified, explicit and legitimate purposes: Personal data must not be further processed in a manner that was not for which it was collected or intended.
Why you must get consent:
Consent is absolutely paramount under GDPR, and in most cases, this needs to be explicit. You must be clear and unambiguous. You need to issue a clear statement that ensures your customer understands the agreement they are making to share their personal data. Consent ensures that you are proving your customers with choice and control over how their data is processed and used.
You can get customer consent by creating pop-ups and dialogues that ensure the customer has to take action to agree, pre-ticked boxes no longer apply. Make sure you use clear plain language and consent stands alone and not part of any other items in your communications such as website T&C’s. Hold information as to how the consent was obtained such as time, date and stating your intentions.
An individual has the right to withdraw their consent at any time and you must give them a straight-forward route to withdrawing their consent. Ideally in the manner of which the consent was provided. Make sure consent
is freely given and the customer has a free choice to consent and withdraw. On that note, every reasonable step must be taken to ensure personal data that is inaccurate is erased or rectified without delay.
As previously highlighted, GDPR can provide great opportunities for efficiencies and create a clear inventory of what data you hold. An inventory could consist of the kinds of personal data you collect and hold, remember this applies as much to employees and contractors as it does to customers. How you have collected that data e.g. tracking cookies, email and intentions such as market research or advertising and how it is then used all need to be recorded.
How do you decide what personal data to hold and if you need to, answering some of these questions may help…
- Do you need to hold an individual’s data?
- Do you need to identify who these customers are?
- Do you need to identify them to use and analyse the data?
If it’s yes, by all means, hold the data but minimise how much you hold. Where possible hold aggregated data.
Part of GDPR is understanding the rights of your customers. They will have access rights, the right to rectify, object, rights in relation to profiling and the right to erasure. Finally, the customer has the right to ask for an explanation of how their data is processed and anyone that controls that data must comply with the request, in most cases any requests needs to be answered within one month of the request.
When asking for data you have to ensure as a business you are completely transparent. Therefore, products and services should be designed in a way that ensures that all necessary information is provided to your customers. This should take account of considerations such as screen size and platform and make use of responsive design (e.g. notices for mobile apps or mobile websites should be adapted for small form-factor displays).
Within your business, it is important to note that it’s not the few that are responsible but all. This includes external suppliers who process your data, they too fall under GDPR and are liable for breaches and fines.
Security breaches and notification:
In the case of a breach, you need to notify the DPA within 72 hours, you must keep a record of all data breaches. Remember fines are up to 2-4% of your global turnover.
What you should do now:
- Understand what personal data your company uses, stores, processes and holds.
- Review legal grounds for processing personal data against GDPR requirements.
- Review privacy notices/policies and internal procedures.
- Assess your supply chain.
- Assess whether you need to appoint a DPO and identify the individual(s).
- Look into putting together a GDPR project team.
Charlie Hill is Editor at Large for The Wise Marketer