All of us should by now have heard about the new EU-wide GDPR legislation that dictates how personal data can be gathered, stored, processed and used. It comes into force on 25th May 2018. In the case of prize promotions, the process might involve personal data obtained from collecting entries, storing it on your server, selecting a winner at random from the data, using it to contact winners and then to send winners’ their prizes or to transfer cash or for booking travel for holiday wins – the possibilities are endless. The data controller generally would be the brand, and their agencies or suppliers would be defined as the data processor – and both are liable for any breaches to the tune of up to €20 million or 4% of annual turnover.
The First Rule – Less is Best
Only gather the data that you actually need. If you only ever email winners why ask for their phone number? If they are ticking that they are over 18, is there a real need to ask for their data of birth? Not only is it a barrier to participation it risks making your data headache bigger than necessary.
The Second Rule – Consent Must Be Positive and Relevant
This is the end of pre-ticked boxes and complicated double negative consent. You need to be clear, precise and ensure that there is a separate consent box for each of the possible communication routes, e.g. one for email, one for phone, one for post etc. Store this data, it is vital to show valid consent.
The Third Rule – Processing data
You should only use the data either for the stated process or for a purpose that the consumer might reasonably have assumed. So if you gather data from consumers of your toothpaste but you then use it to offer car insurance, they would be right to be surprised and raise a formal complaint, but mouthwash would be okay. There is also the concern about how long you should store personal data – the law is not specific, it just says for no longer than is necessary for the performance of the relevant activity. We often get involved in promotions with weekly prizes that may run for 15 weeks. Technically the data from week one could be deleted once we have selected our winners, but there might be a need to hold onto it for longer if for example there was a clause in the terms saying ‘only one entry per person across the promotional period’, or there was a Wrap Up draw at the very end. Then it would be valid to hold onto the data from week one till the very end and a ‘reasonable time’ beyond that.
The second part of Less is Best, is getting rid of data. As part of our ISO27001 accreditation it is PromoVeritas’ policy to destroy all consumer entry data 6-12 months from receiving it, and we recommend this policy to all our clients. Processes need to be put into place to ensure that this is automated or carried out regularly.
One thing to note, under GDPR an individual, has the ‘right to erasure’ – the right to ask for their data to be deleted – and you must do this within one month of the request. If this is the case, for a long running prize promotion, then they are in effect excluding themselves from future opportunities to win in that promotion, unless they enter again, which may have been their plan anyway.
Section 8.28.5 of the UK CAP Code requires promoters to make available the full name and county of major prize winners. Consent for this must be received at the time of entry – by agreeing to the Terms & Conditions which should include this requirement – and ideally ticking the relevant box. But the code also warns that “Prize winners must not be compromised by the publication of excessive personal information” – this means that, particularly for large or valuable prizes, they should not be easily identifiable. For now it is our policy is to include the full name and county of major prize winners but this might change in the future. Furthermore if a winner has asked for their data to be deleted you will have to post a winners list with blank spaces instead of a name.
Finally, your planning for GDPR should ensure that you now have policies on key topics such as passwords protecting your data, restricting access to sensitive data and making sure your physical office security is up to a suitable standard. All of these should now be a part of your daily office routines.