GDPR – what it means for retailers and their loyalty schemes

| November 30, 2017 | By

GDPR is coming and it’s about to change how all retailers obtain and manage data. Yoyo’s compliance and data protection officer, Katarina Hartikainen, explains the fundamentals of what GDPR is, as well as how it will affect retailers running a digitally-led loyalty programme.

GDPR - what it means for retailers and their loyalty schemes

It’s a wonderful digital life

We all live digitally-led existences. Through our smartphones, we talk to our friends on social media, we shop online, we find directions and book trains and flights, we set alarms to wake us up, we take pictures, listen to music and watch videos, and we write and send messages and emails on the go.

We now also pay for goods, earn loyalty points and receive rewards in-store via mobile.

There is no doubt that digitally-led experiences have slotted themselves seamlessly into our daily lives. Take a person’s smartphone away and you can expect some “real physical withdrawal symptoms”, according to some academic research.

These digital experiences that take place around the clock are meant to provide added value to the daily lives of consumers. For it to work, requires personal data – and lots of it!

According to IBM Marketing Cloud, we now create more than 2.5 quintillion bytes of data every day. Take Facebook and Twitter alone. In just one minute, 510,000 comments are posted on Facebook and 455,000 tweets go live on Twitter.

“People, businesses, and devices have all become data factories that are pumping out incredible amounts of information”, IBM Marketing Cloud adds.

And while retailers are quick to jump on the data bandwagon, using our personal information to deliver marketing campaigns that better engage and retain customers, the protection of all this personal data is not always front-of-mind.

Why is this important now?

The UK’s Data Protection Act 1998 was drafted before the exponential growth of the internet and is now widely considered to be not fit for purpose.

Personal data is being used in ways that was never envisaged 20 years ago – think online behavioural advertising, social media and digital loyalty programmes to name but a few, and most people are totally unaware of what happens to the personal data they purposely or inadvertently share.

As a response to this, in 2016 the EU adopted the General Data Protection Regulation (GDPR), giving its member states two years to ensure that it is fully implemented in their countries by May 2018 (GDPR will come into effect in the UK on 25 May 2018).

The objectives of GDPR:

  1. Protect the fundamental rights and freedoms of individual persons
  2. Protect free movement of personal data within the EU

In essence – the protection of our personal data.

What is personal data?

Under the new GDPR framework, personal data is defined as any information relating to an identifiable person who can be identified directly or indirectly by an identifier such as a name, an identification number, location data or an online identifier. Think online profile details, user bank details, a name on a physical loyalty card to name but a few.

Here’s two examples:

1. A mobile phone number can be considered personal data – it belongs to an individual (or ‘data subject’). However, a home landline number may not be considered personal data – it could belong to multiple individuals.

2. A business email address that includes an individual’s name (i.e. I’ is considered to be personal data, but a generic email address (i.e. is not.

Under GDPR, “Sensitive Personal Data” will also  be protected and called “Special Categories of Personal Data”.

This includes: biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health condition, sex life or sexual orientation, and genetic data.

Here’s two examples:

1. An employee sends an email to their manager saying they cannot come in because they have the flu. This would be classified as physical or mental health condition data.  

2. The HR team might ask employees about their racial or ethnic origin to protect staff from discrimination in the workplace.  

What does GDPR mean for retailers and their loyalty programmes?

Consent, Security and Access Rights – these are the three most important issues that retailers who run a loyalty programme will need to address when GDPR becomes UK law.


When any form of personal data is collected for the purposes of running a loyalty program, a ‘legal basis’ for processing it needs to be considered – consent being one of the most commonly used.

How will consent work under GDPR?

When a new customer signs up to a loyalty scheme they are typically asked to fill in a card or enter personal information on a website or mobile app – typically this consists of their name, email address and home address.

The customer agrees to the terms and conditions and reads the privacy notice where the reasons for processing are stated, – once done, they can start collecting loyalty points.

So far so good.

But what happens when your marketing department wants to send out comms to target customers, which aims to encourage them to buy a shiny new product?

A freely given and unambiguous consent has typically been required to send out marketing emails targeting customers. In practice, this means that when signing up to a service, the customer will consent by ticking a box (or not) on whether they wish to receive marketing material (or not).

What will retailers and their marketing team need to do that will allow them to continue to use this collected personal data after the GDPR deadline on 25 May 2018?

Retailers might want to use their current personal data (such as emails) to get customers to ‘consent to marketing material’ before the deadline. After this date, personal emails without consent will become useless – retailers will not be allowed to use this data for marketing campaigns where consent is used as the chosen legal basis for processing.


Anonymisation of personal data is one of the best security measures for retailers concerned about GDPR. If personal data is unidentifiable, the retailer can keep it for as long as they like.

How do you secure personal data?

GDPR leaves this decision to each individual data controller (retailer). At present, the regulation does not go into very much detail.

One solution could be to separate personal and non-personal information, creating two different sets of data. This will help to improve anonymity when using analytics tools for marketing purposes.

Access (rights of the individual)

Currently, any individual who makes a written request is entitled to be told whether or not their personal data is being processed by a retailer. In practice, this means they’re entitled to a full copy of the information you have about them, as well as the source it came from.

Many retailers will say this is nothing new – data controllers are already obliged to provide this type of information when requested.

How will access rights change under GDPR?

At present, a £10 fee applies for any individual who makes a request to retailers to see their personal data, which is seen by many as blatant discouragement. This fee will be removed on 25 May 2018.

Secondly, most individuals are unaware of this right. Over the following months, several large awareness campaigns will be launched, supported by the EU, to increase awareness. Retailers running a loyalty programme should start preparing for this request now!

How? By simply creating a form for these type of requests, reviewing what personal information you currently have on records, and deleting anything that does not have a purpose – this will make the reporting process far easier when the initial influx of requests come through.

Retailers will also need to assess the adequacy of the way personal information is being processed by 3rd party suppliers, and ask some fundamental questions: are these 3rd party processors based in the EU and is there a safeguarding contract in place? Are they GDPR ready? Based on the answers, some processors my need to be replaced.

Why is it important to start preparing now?

After 25 May 2018, once an individual’s request has been submitted, a retailer will only have one month to reply. If this information is not provided, the individual can complain to the Information Commissioner’s Office – and no-one will want to get on their radar once GDPR has landed!