The GDPR is a great opportunity for your company to review the way it processes data and the data it holds. Auditing your current methods is one of the best ways in which to prepare for GDPR, meaning that a thorough understanding of how your organisation deals with data is paramount. Read our blog on 9 Point Checklist for Customer Loyalty Programmes

Under the current EU Data Protection Directive, only data controllers are liable when it comes to data protection compliance.

However, the GDPR places direct obligations on data processors too.

It is therefore important to establish whether your organisation is a data processor or a data controller, bearing in mind it could be both.

Their main responsibility is to have an impeccable understanding of GDPR, and to implement the requirements needed in order to gain consent.

When it comes to your loyalty program and GDPR compliance , it is necessary to document what personal data is being held , what was the source of the data, and who is it being shared with.

There is a requirement to maintain records of all your activities related to data processing from your loyalty program. This automatically requires you to know the personal data held by you, the source of the data and who it is being shared with. GDPR’s accountability principle requires organizations to be able to demonstrate their compliance with the principles of data protection imposed by the regulation.

2. Know your existing customers consent

It is important to review how you record, seek and manage consent and if any changes are required.

It is important to know and document how a member signed up to your loyalty programme, what are their permissions for communciation and if it clear and transparent.

If they don’t meet the GDPR standard, existing consents need to be refreshed. Consent must be specific, freely given, informed, and not ambiguous. A positive opt-in is required and consent cannot be implied by inactivity, pre-ticked boxes or silence.

The consent section has to be separated from the rest of the terms and conditions. Simple methods need to be provided for individuals to take back consent.

3. Know individual rights

One of the key takeaways from GDPR is the strengthening of rights for individuals, including the right to be forgotten and data portability, which means you could be required to provide data to an individual that can then be taken to a competitor.

Businesses are obliged to promote these rights, so it is important to ensure there are procedures in place to make this possible

4. Examine your privacy notices

This is particularly important when it comes to your loyalty programme being compliant with GDPR.

It is important to review the privacy notices currently in place and put in a plan for making any required changes before GDPR implementation. When personal data is being collected for your loyalty programme, you need to provide specific sets of information such as information pertaining to your identity and how you propose to use that information. This is generally done with a privacy notice.

5. Know your requirements around privacy by design

The GDPR requires you to provide some additional information in your privacy notices. This includes information such as the exact provision in the law that permits asking for that data and retention periods for the data.

You are also required to specifically list that people have a right to complain to Data Protection Ireland if they believe there is a problem with the way their data is being handled.

The GDPR requires the information to be provided in the notices is easy to understand, concise and clear language.

The GDPR turns privacy by design into a concrete legal requirement under the umbrella of “data protection by design and by default.” In some situations, it also makes “Privacy Impact Assessments” into a mandatory requirement. The regulation defines Privacy Impact Assessments as “Data Protection Impact Assessments.(DPIA)”’ A DPIA is required whenever data processing has the potential to pose a high level of risk to individuals such as when:

  • New technology is being put in place
  • A profiling action is happening that can significantly affect people
  • Processing is happening on a large set of data

Again this is an important requirement when ensuring that your loyalty programme is GDPR compliant.

6. Appoint a Data Protection officer

It is highly recommend that each organsiation appoints a AData Protection Officer (DPO).

The DPO acts independently and will report to the very highest level of management within the organisation.

Their main responsibility is to have an impeccable understanding of GDPR, and to implement the requirements needed in order to gain consent.


If businesses already have policy and procedures in place to meet the requirements of the Data Protection Act, then they should have a solid foundation to comply with the GDPR. In many ways, the new regulation simply provides a clear framework for delivering good practice in data protection.

However, all businesses will need to take action to ensure compliance with the GDPR. Otherwise, the financial penalties (as well as reputational damage) of a breach could have serious consequences for their business. And this is not just an IT issue. The whole organisation, starting from board level, must show a willingness to understand the legislation and implement procedures that protect the fundamental rights of individuals.

Posted in Loyalty & Rewards