Skip to content
PromoVeritas
PromoVeritas
Contact Us
PromoVeritas
  • Home
  • About Us
  • What We Do and Why
  • Our Work
  • News
  • Join the Team
  • Contact

How to run GDPR compliant promotions

Abi Roman April 10, 2018

Nathaniel Perera, Legal Executive at PromoVeritas, writes about the effect the new General Data Protection Regulation (GDPR) will have on your next marketing promotion.

All of us should by now have heard about the new EU-wide GDPR legislation that dictates how personal data can be gathered, stored, processed and used. It comes into force on 25th May 2018. In the case of prize promotions, the process might involve personal data obtained from collecting entries, storing it on your server, selecting a winner at random from the data, using it to contact winners and then to send winners’ their prizes or to transfer cash or for booking travel for holiday wins – the possibilities are endless. The data controller generally would be the brand, and their agencies or suppliers would be defined as the data processor – and both are liable for any breaches to the tune of up to €20 million or 4% of annual turnover.

The First Rule – Less is Best

Only gather the data that you actually need. If you only ever email winners why ask for their phone number?  If they are ticking that they are over 18, is there a real need to ask for their data of birth? Not only is it a barrier to participation it risks making your data headache bigger than necessary.

The Second Rule – Consent Must Be Positive and Relevant

This is the end of pre-ticked boxes and complicated double negative consent. You need to be clear, precise and ensure that there is a separate consent box for each of the possible communication routes, e.g. one for email, one for phone, one for post etc. Store this data, it is vital to show valid consent.

The Third Rule – Processing data

You should only use the data either for the stated process or for a purpose that the consumer might reasonably have assumed. So if you gather data from consumers of your toothpaste but you then use it to offer car insurance, they would be right to be surprised and raise a formal complaint, but mouthwash would be okay. There is also the concern about how long you should store personal data – the law is not specific, it just says for no longer than is necessary for the performance of the relevant activity. We often get involved in promotions with weekly prizes that may run for 15 weeks. Technically the data from week one could be deleted once we have selected our winners, but there might be a need to hold onto it for longer if for example there was a clause in the terms saying ‘only one entry per person across the promotional period’, or there was a Wrap Up draw at the very end. Then it would be valid to hold onto the data from week one till the very end and a ‘reasonable time’ beyond that.

Deleting data

The second part of Less is Best, is getting rid of data. As part of our ISO27001 accreditation it is PromoVeritas’ policy to destroy all consumer entry data 6-12 months from receiving it, and we recommend this policy to all our clients. Processes need to be put into place to ensure that this is automated or carried out regularly.

One thing to note, under GDPR an individual, has the ‘right to erasure’ – the right to ask for their data to be deleted – and you must do this within one month of the request. If this is the case, for a long running prize promotion, then they are in effect excluding themselves from future opportunities to win in that promotion, unless they enter again, which may have been their plan anyway.

Winners Lists

Section 8.28.5 of the UK CAP Code requires promoters to make available the full name and county of major prize winners. Consent for this must be received at the time of entry – by agreeing to the Terms & Conditions which should include this requirement – and ideally ticking the relevant box. But the code also warns that “Prize winners must not be compromised by the publication of excessive personal information” – this means that, particularly for large or valuable prizes, they should not be easily identifiable. For now it is our policy is to include the full name and county of major prize winners but this might change in the future. Furthermore if a winner has asked for their data to be deleted you will have to post a winners list with blank spaces instead of a name.

Finally, your planning for GDPR should ensure that you now have policies on key topics such as passwords protecting your data, restricting access to sensitive data and making sure your physical office security is up to a suitable standard. All of these should now be a part of your daily office routines.

For further help with ensuring you are GDPR compliant, for a GDPR audit or help with the creation of appropriate policies, contact info@promoveritas.com or call 0203 325 6000. We would also like to invite you to our next free Breakfast Briefing on GDPR for Marketers on Wednesday 25th April at 8.30am at Langan’s Brasserie, Mayfair W1 – to reserve a place email abi.roman@promoveritas.com.

« How to run a successful competition – our breakfast briefing LASL hero? Win a crate of beer or a £100 Sunglasses Hut voucher every week! »

Call us on 0203 325 6000 to find out how we can help your promotion

+44 (0)203 325 6000
info@promoveritas.com
  • Home
  • About Us
  • What We Do and Why
  • Our Work
  • News
  • Join the Team
  • Contact
Proud members of ISO-27001 Accredited Proud members of
Run it Right.
© 2023 PromoVeritas
Privacy Policy Terms of Service Website Terms & Conditions Cookies Policy
We use cookies on our website. All the cookies we use can be viewed using the Cookie Settings button. By clicking “ACCEPT” you consent to the use of all cookies. You cannot disable our essential cookies.
Do not sell my personal information.
Read More
ACCEPTCookie settings
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Essential
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

CookieTypeDurationDescription
cookielawinfo-checkbox-necessary011 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary011 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy011 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Non Essential

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

CookieTypeDurationDescription
_ga01 yearThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat_UA-15728851-301 minuteThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid01 dayThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
bcookie01 yearThis cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie11 year
csrftoken011 monthsThis cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
GPS030 minutesThis cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE11 yearUsed by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
ig_did11 year
ig_nrcb01 year
lang0This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
li_sugr02 months
lidc01 dayThis cookie is set by LinkedIn and used for routing.
lissc01 year
mid01 yearThe cookie is set by Instagram. The cookie is used to distinguish users and to show relevant content, for better user experience and security.
test_cookie011 months
u02 months
UserMatchHistory01 month
VISITOR_INFO1_LIVE15 monthsThis cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC1This cookies is set by Youtube and is used to track the views of embedded videos.
Save & Accept