How to run GDPR compliant promotions

Abi Roman April 10, 2018

Nathaniel Perera, Legal Executive at PromoVeritas, writes about the effect the new General Data Protection Regulation (GDPR) will have on your next marketing promotion.

All of us should by now have heard about the new EU-wide GDPR legislation that dictates how personal data can be gathered, stored, processed and used. It comes into force on 25^th May 2018. In the case of prize promotions, the process might involve personal data obtained from collecting entries, storing it on your server, selecting a winner at random from the data, using it to contact winners and then to send winners’ their prizes or to transfer cash or for booking travel for holiday wins – the possibilities are endless. The data controller generally would be the brand, and their agencies or suppliers would be defined as the data processor – and both are liable for any breaches to the tune of up to €20 million or 4% of annual turnover.

The First Rule – Less is Best

Only gather the data that you actually need. If you only ever email winners why ask for their phone number? If they are ticking that they are over 18, is there a real need to ask for their data of birth? Not only is it a barrier to participation it risks making your data headache bigger than necessary.

The Second Rule – Consent Must Be Positive and Relevant

This is the end of pre-ticked boxes and complicated double negative consent. You need to be clear, precise and ensure that there is a separate consent box for each of the possible communication routes, e.g. one for email, one for phone, one for post etc. Store this data, it is vital to show valid consent.

The Third Rule – Processing data

You should only use the data either for the stated process or for a purpose that the consumer might reasonably have assumed. So if you gather data from consumers of your toothpaste but you then use it to offer car insurance, they would be right to be surprised and raise a formal complaint, but mouthwash would be okay. There is also the concern about how long you should store personal data – the law is not specific, it just says for no longer than is necessary for the performance of the relevant activity. We often get involved in promotions with weekly prizes that may run for 15 weeks. Technically the data from week one could be deleted once we have selected our winners, but there might be a need to hold onto it for longer if for example there was a clause in the terms saying ‘only one entry per person across the promotional period’, or there was a Wrap Up draw at the very end. Then it would be valid to hold onto the data from week one till the very end and a ‘reasonable time’ beyond that.

Deleting data

The second part of Less is Best, is getting rid of data. As part of our ISO27001 accreditation it is PromoVeritas’ policy to destroy all consumer entry data 6-12 months from receiving it, and we recommend this policy to all our clients. Processes need to be put into place to ensure that this is automated or carried out regularly.

One thing to note, under GDPR an individual, has the ‘right to erasure’ – the right to ask for their data to be deleted – and you must do this within one month of the request. If this is the case, for a long running prize promotion, then they are in effect excluding themselves from future opportunities to win in that promotion, unless they enter again, which may have been their plan anyway.

Winners Lists

Section 8.28.5 of the UK CAP Code requires promoters to make available the full name and county of major prize winners. Consent for this must be received at the time of entry – by agreeing to the Terms & Conditions which should include this requirement – and ideally ticking the relevant box. But the code also warns that “Prize winners must not be compromised by the publication of excessive personal information” – this means that, particularly for large or valuable prizes, they should not be easily identifiable. For now it is our policy is to include the full name and county of major prize winners but this might change in the future. Furthermore if a winner has asked for their data to be deleted you will have to post a winners list with blank spaces instead of a name.

Finally, your planning for GDPR should ensure that you now have policies on key topics such as passwords protecting your data, restricting access to sensitive data and making sure your physical office security is up to a suitable standard. All of these should now be a part of your daily office routines.

For further help with ensuring you are GDPR compliant, for a GDPR audit or help with the creation of appropriate policies, contact info@promoveritas.com or call 0203 325 6000. We would also like to invite you to our next free Breakfast Briefing on GDPR for Marketers on Wednesday 25^th April at 8.30am at Langan’s Brasserie, Mayfair W1 – to reserve a place email abi.roman@promoveritas.com.

« How to run a successful competition – our breakfast briefing LASL hero? Win a crate of beer or a £100 Sunglasses Hut voucher every week! »

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	0	1 year	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat_UA-15728851-3	0	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	0	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
bcookie	0	1 year	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	1	1 year
csrftoken	0	11 months	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
GPS	0	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	1	1 year	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
ig_did	1	1 year
ig_nrcb	0	1 year
lang	0		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
li_sugr	0	2 months
lidc	0	1 day	This cookie is set by LinkedIn and used for routing.
lissc	0	1 year
mid	0	1 year	The cookie is set by Instagram. The cookie is used to distinguish users and to show relevant content, for better user experience and security.
test_cookie	0	11 months
u	0	2 months
UserMatchHistory	0	1 month
VISITOR_INFO1_LIVE	1	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	1		This cookies is set by Youtube and is used to track the views of embedded videos.