GDPR Compliance for your Contests, Sweepstakes and Quizzes

Keyboard with fingerprint on the enter key.
Contest/Sweepstakes / Security / Thoughts

Marketers, you should know that May 25, 2018 is a big day. No, it’s not because it was the release of Star Wars: A New Hope (1977) or Return of the Jedi (1983) or even SOLO: A Star Wars Story (2018). It’s the date that the European General Data Protection Regulation (GDPR) is set to go into effect.

What does GDPR mean for you?  If your business is based in the EU, or you process the personal data of individuals located in the EU, then you need to be compliant with the laws. Even if you’re business is located outside of the EU and you have customers in the EU you need to be GDPR compliant. Don’t worry, My Brother Darryl has you covered. This post will help you make sure your forms and email lists are compliant, including steps you should take RIGHT NOW to make sure you can continue collection personal information and sending email to current subscribers.

What is the GDPR?

The General Data Protection Regulation is an initiative of the EU that has wide-reaching impacts outside of Europe. The GDPR is designed to protect European citizens and their personal data, even if the company outside EU borders collects it.

There are three GDPR requirements you should pay particular attention to when collecting data.

  1. Stricter consent requirements (consent must be both explicit and verifiable);
  2. Increased rights for individuals (individuals have more power over how their data is used); and
  3. More transparent data-use information (businesses must provide more information on how they plan to process or use the data).

Quick Definitions

What is “Personal” Data

Personal data is any data associated directly with an identified individual, such as name, address, and IP address. Personal data also applies to any data that, when processed along with additional data or alone, could identify a specific individual.

What does “processing” data mean?

In short, anyone who personally, or on behalf of someone else, collects, organizes, transmits, updates, stores, deletes or otherwise uses or works with the personal data of individuals is considered to be processing data.

Who is a Data Controller

A natural or legal person or entity, who alone or with others, determines how personal data is, or will be, processed.

Who is a Data Processor

A natural or legal person or entity charged with the processing of personal data on behalf of a data controller.

How do I comply to the GDPR?

First, you don’t have to stop all your marketing activities in the wake of GDPR. You just should take initial steps before launching your next campaign, and if you don’t collect, organize, transmit, update, store, delete or otherwise use or work with the personal data of individuals located within the EU, you don’t need to worry.

Canada currently enjoys “adequacy status” with EU data protection regulators, which means the EU accepts that Canada is doing enough to protect the digital rights of citizens. However, this is going to be reviewed in light of the new laws, and it will be important for Canada to maintain this status. Canada’s Privacy Commissioner has suggested Canada will be adopting a stance more consistent with the GDPR.

1. Understand and Document the Data you collect

Personal data may sound quite obvious, but you have information about your customers through day-to-day online interactions that fall under the GDPR. When running a contest or giveaway, you’re going to have person information, but remember the law isn’t contest just about name and address. IP address, or any data that can lead back to an individual is considered personal information.

Under the GDPR, controllers have to document what kind of data they gather and why. This documentation should outline what kind of personal information you collect, why and from whom. It should also include how long you keep the information, the GDPR states that it may only be kept as long as necessary before the data is deleted or made anonymous.

2. Get Consent for Data Collection

People must “opt in” to have sensitive personal data collected (have you noticed the notices showing up on your favourite sites?). This consent must be specific, informed, unambigous and freely given. That means your terms and conditions have to make sense and be understood by someone who doesn’t know the legal terminology.

If you’re running a contest, quiz or giveaway in multiple countries including the EU, we suggest you ask them what country they are from. You can than present EU residents with an explicit action that gives consent to the collection of their information.

3. Create Procedures for Data Requests

The GDPR gives individuals the right to request data. Because of this, you’ll need a secure process to divulge this information quickly and easily. You must give this data over to users within one month upon their request.

What are the Penalities for Non-Compliance

Failure to comply with the GDPR can result in a fine of 4 percent of annual revenue or €20million, whichever is greater. These are the maximum penalties, and likely won’t be levied in every case, they do show how serious the EU takes this new regulation.

How My Brother Darryl Can Help

By complying with the GDPR, you can give your customers even more confidence in your trustworthiness and transparency as an organization. You can still have fun creating contests, sweepstakes, quizzes and giveaway – while complying. Why not also freshen up on whether your contest or sweepstake is legal.