Resources > Articles > Loyalty Program with GDPR

Loyalty Program with GDPR

General Data Protection Regulation has been a hot topic since 2016 when the regulation was adopted. Now the official implementation of GDPR is right around the corner and global fashion brands and retailers doing business in Europe are rushing to update their data policies to avoid the heavy fines associated with non-compliance.

As a third-party loyalty solutions provider, we know how important customer data is in loyalty and marketing strategies alike. That’s why our team has been working with our fashion clients to prepare for the upcoming changes. This post shares some of the most common concerns we’ve encountered during this transition phase, in both online and offline fashion commerce, and sheds light on how we’re handling the changes here at Antavo. It is by no means a comprehensive analysis of the regulation, but rather intends to serve as a guide to ensuring compliance by May 25, 2018, the date GDPR comes into effect.

Which companies are affected by GDPR?

Anyone handling the data of any EU nationals. GDPR affects even those fashion brands and retailers with only a handful of EU nationals among their customer base, too.

Furthermore, if you have any partners or subcontractors with access to your customers’ personal data, they will also have to comply with the new regulation.

What are the main areas of concern in regards to data privacy?

In talking with our own retail clients and reviewing the regulation in general, we’ve noticed that there are several topics which retailers have expressed their concern about. Those topics are:

Consent

You must make sure that you have the legal ground of forwarding your customers’ personal data to a third party provider. In the case of a loyalty program, the legal ground is consent, in which your customers must give their consent that you will forward their personal data to a loyalty provider.

GDPR anti-example

GDPR states, that users must give clear opt-in consent for their data to be stored which means that pre-ticked boxes are not compliant with the new regulation.

Data minimization

GDPR states “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” Although the definition of “relevant” doesn’t go much further than this, the idea is that all data stored should directly serve the purpose of the data processing you were given consent to carry out. At Antavo we make sure our clients forward only the data that serves the purpose of the consent given.

Right of access

Consumers will be able to request to see which of their personal data is being used from any given retailer. The reason behind this right is for consumers to be able to “verify the lawfulness” of said data use.

Right to be forgotten/ Right to erasure

Individuals will now be able to request the deletion or removal of personal data in the case that there is no compelling reason for that data to remain and be processed. This request can also be made when a consumer withdraws their consent or when data was unlawfully processed (not in compliance with GDPR).

Remaining compliant

Becoming compliant is only half the battle. Remaining compliant will remain a challenge as you create new communication, make marketing changes, and work with new suppliers.

So, how do data privacy concerns affect loyalty strategy?

A functional loyalty strategy requires rich data. Loyalty programs are a source of data collection, too, which allow new functions and communications to be used. However, just because there is a tight connection between loyalty and data doesn’t mean you need a complete revamp of your program. You can keep compliant with making adjustments in current communication and opt-in and opt-out policies.

The key to keeping compliant is ensuring that members can only become (or remain) members of a loyalty program if they have given explicit consent for both your own organization and any third parties to process their personal data.

Working with third parties as GDPR comes into effect

One unique thing that sets GDPR apart from previous directives and regulations is that data protection must be maintained wherever data flows. Not only is the retailer expected to stay compliant, but any third parties partnering with the company can also be penalized for non-compliance. That means fashion retailers need to know precisely how data is being handled by each provider.

gdpr example registration form

If you forward your customers’ personal data to a third-party provider in order to serve them with a loyalty program, you must ask for your customers’ clear consent. A checkbox to opt-in is not sufficient anymore.


Our best advice is to ask the third parties you’re working with how they are reacting to the upcoming changes. And if you’re one of our clients or are considering our loyalty management platform, keep reading to get an overview of how we’re approaching GDPRand please feel free to contact us with any further questions.

How is Antavo handling the changes?

The Antavo team is working with clients to ensure that all policies are met, consulting with lawyers in several countries of the European Union. All of our clients’ loyalty programs are under review and are being updated in compliance with GDPR.

We do not store credit card or other payment details at Antavo. For all data requests, we can provide information upon request in a commonly-used format with one month at no charge.

We can delete all personal data stored for a particular customer upon request. This, however, also means the customer will be opted-out of the program. One consequence customers should be aware of is that if they decide to re-opt-in later, their points and activities will be lost.

Finally, our internal Data Protection Officer is working alongside our clients to review how they communicate the loyalty program to their customers, to assist in making policy transitions as smooth as possible by May 25, when the regulation officially kicks in.

So, to sum things up, here is a handy GDPR checklist for you:

gdpr loyalty data checklist

If you’re planning to start a loyalty program this year, or are considering how to update your current program in time for the GDPR implementation date, contact us to learn how we’re working to ensure clients keep getting great results from their loyalty programs while maintaining full compliance.

Jessica Mizerak
Jessica Mizerak
Jessica is an expert on all topics related to customer loyalty, helping fashion and retail companies to learn more about their possibilities in CRM and customer retention, so they can launch successful loyalty programs. Fun fact: in her free time, she loves to dance, paint teddy bears, and learn Russian.