Liquid Barcodes

Resources

What Must Convenience Retailers Do to Ensure their Customer Program is GDPR Compliant

Mads Moerk, CFO Liquid Barcodes

31/01/2018

This article was originally published in Global Convenience Store Focus.

The EU’s new General Data Protection Regulation (GDPR) legislation on data protection and privacy comes into force in less than 7 months in May 2018 and has a wide range of consequences for all retailers, especially concerning the customer data they collect. In this special feature, as Liquid Barcodes CFO & DPO Mads Mørk explains, retailers collecting data will be ‘data controllers’ under GDPR. And this means increased responsibilities for our industry.

By Mads Mørk, CFO & DPO, Liquid Barcodes

What must convenience retailers do to ensure their customer program is GDPR compliant?If you are a CEO, there are 9 questions on GDPR you should ask your marketing, legal and IT team.

What personal data do we possess?

Getting an overview of what personal data is in your possession is probably the best place to start your work on GDPR compliance. In GDPR terminology, personal data is defined as any information relating to an identified or identifiable natural person. This is a broad definition. Hence, a wide range of customer data should be considered personal data. Identification of a person can be indirect. The GDPR lists a range of data that can identify persons. Of special interest to retailers are location data. For example, if customers leave a trail at the POS, your transaction data should be treated as personal data because the data can reveal the location of customers at specific times.

Can we avoid collecting sensitive personal data?

Sensitive personal data is treated more strictly under GDPR than personal data. Sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sexuality. If you can avoid having such data in your possession, it will be easier to be GDPR compliant.

How do we use pseudonymization and encryption to increase data security?

The trend of collecting and storing ever more customer data poses a challenge in the context of GDPR. The GDPR requires you to have full control of access to and integrity of your data. Pseudonymization and encryption are tools to alleviate these problems. Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. For example, replacing customers’ phone numbers on the above mentioned receipt data with a random user ID. Encryption renders data unreadable without the encryption key. We advise you to pseudonomize all customer data except for modules that handle direct communication with customers. For example, the part of your system sending SMS to customers needs phone numbers, but the module handling statistics most likely does not. Databases that contain data which can directly identify customers, for example member profile data with phone numbers, and databases with large amounts of data, such as an archive with pseudonymized data, should be encrypted.

What about our suppliers – are they on track with GDPR?

As data controller, you are responsible for data also in the possession of your suppliers, or Data processors in GDPR terminology. You need to list all suppliers in your privacy policy. You should review your data processor agreements. You must also approve your suppliers’ sub-suppliers before they can begin to process your data.

Do we have an efficient system for handling rights of data subjects?

The rights of Data subjects are more extensive under GDPR. The GDPR also requires you to answer requests from Data subjects within 1 month (extension possible in certain cases). Retailers should aim to give all necessary information to Data subjects through ‘My page’ solutions behind secure log in mechanisms.

Have we recorded active consents from all registered customers?

Consent is the primary legal basis for handling personal data for retailers. Under GDPR, consent must be active and consent texts must use clear and plain language. You must record consents so that you can prove that active consent has been given. Extra attention is placed on communication towards children (13-16 years, depending on member state). We advise to put age limits on signing up to avoid communicating towards children.

Be aware that activities involving automatic profiling of customers and geo location data require specific consents in addition to the main customer consent.

Does our privacy policy give the necessary flexibility in our marketing activities?

Since consent regulations have become stricter, it is more important than ever to ensure that your privacy policies cover the activities you are most likely to do. For example, make sure to collect consent to send marketing SMS and emails, with opt out option, even if you collect phone numbers or emails through your app.

Privacy policies will become an arena where you can demonstrate your seriousness in dealing with data protection and privacy, while using language in line with your brand image. Take that opportunity.

What is our process for handling data breach incidents?

Data breach is an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In case of data breach incidents, you may be required to inform your supervisory authority and your customers. There is a list of criteria specifying when you need to disclose data breach incidents.

However, your suppliers, the Data processors, should always inform you about data breach incidents.

How do we train our organisation on GDPR to ensure continuous compliance?

GDPR places great emphasis on data security and the legal basis for your communication towards customers. In practice, employees in many different departments, such as marketing and IT, will be responsible for implementing and complying with these regulations.

Therefore, it is vital that you establish training schemes to teach GDPR to the organisation. For example, the IT department must ensure that new development tasks are compliant with GDPR. Do we collect new information? Do we store data in a new way? The marketing team must know when to tread carefully when discussing new campaign ideas. Is this activity covered by our existing privacy policy? Do we need automatic profiling or geo location consent?

Disclaimer: this article is not meant as legal advice. You must seek advice from your legal advisors to ensure complete compliance with GDPR as this can vary from company to company.


Blog post

Save Thousands in Credit Card Fees With ACH

Visa and Mastercard announced an increase in interchange fees this month and retailers are taking action and sending a message by migrating their customers to new solutions, including mobile app-based ACH payments, and in the process increasing profits by not only reducing credit card fees but also boosting loyalty via innovative app based incentive programs. […]

Blog post

Maxol Launches First-of-Its-Kind Loyalty App With FuelPay in Ireland

Maxol, Ireland’s largest family-owned forecourt and convenience retailer, announced it has launched a new customer loyalty app with never-before-seen features in the Irish market.   After more than a century serving Irish customers, Maxol’s 240+ stores and service stations are located throughout Ireland and have enjoyed global recognition for their best-in-class operations, store design and […]

Blog post

Delivering Personalized Content With Machine Learning and Image Recognition

Build personalized customer connections, improve efficiency, and make intelligent, data-driven decisions using machine learning and image recognition.   It’s 7:15 in the morning and a customer – Amy – is on her way to work. She is on the hunt for coffee and breakfast and stops at a convenience store. She opens her store app […]

Blog post

Sweet Tea and Coffee Subscription Beverage Programs Brew Recurring Revenue

As summer nears, consumers are turning their attention towards refreshing iced beverages and iced tea is a hot seller this time of year, especially when sold with a subscription beverage program. Sweet tea might be the quintessential drink of southerners in the U.S, but the rest of the country has developed a taste for the […]

Blog post

Circle K’s Use of Beacon Technology to Activate Car Wash Subscription Program

Beacon Technology and Car Wash Subscription Programs Beacon technology used in tandem with a customer-facing car wash subscription program revolutionizes the customer experience by providing a quick, convenient experience. Innovation is the key to continued growth and ensuring a frictionless customer experience should be top of mind for any retailer. Circle K’s vast global network […]

Blog post

Unlimited Car Washes!

Subscription programs for car washes are a hot trend in convenience retail.

Blog post

Car Wash Program Drives Sales for United Pacific

Car wash programs are revenue drivers for convenience stores and fueling stations around the globe. Making sure the process is convenient and cost-effective for customers increases traffic and drives in-store sales. Oftentimes, car wash units occupy a small corner of the lot and do not receive much attention. This is not the case for those […]

Blog post

Danish Railway Rewards Riders with DSB Plus

The Danish railway system, known as DSB, is going the distance to reward customers by partnering with convenience retailer 7-Eleven to deliver points towards food and coffee simply for riding the rails. Whether commuting or travelling longer distances, riders who join DSB Plus earn points whenever they travel within Denmark. DSB is an abbreviation for […]

Blog post

Subscriptions for the win!

Amazon Prime is, by nature, a subscription under the auspice of membership. Pay an annual fee, get 2-day shipping and exclusive deals. Amazon took it one level further with “Subscribe & Save” where you can get everyday – and not so everyday – items shipped to you on a regular schedule.  In the early days […]

Blog post

Customer Retention Program of Circle K Vietnam

As the first international convenience store brand to launch in Vietnam, Circle K has over a decade of expertise catering to the needs of the 96 million residents of this huge country, operating a network of over four hundred convenience stores each open 24 hours a day! So launching an outstanding customer retention program was […]

Blog post

Stinker Stores Named Best New Loyalty Program in the U.S.

        2021 Best New Loyalty Program  Stinker Stores’ new loyalty program offers multiple redemptions with a single scan and stands out with a gamification feature to keep customers engaged. This article is originally published on CStoreDecisions and written by Erin Del Conte | October 28, 2021 Stinker Stores, with 103 convenience stores across Idaho, […]

Liquid Barcodes

Put a rocket under your loyalty program

With our loyalty platform, we help design and operate world-class, tailor-made subscription and reward programs that make sure your customers always come back.

Book a Demo →

We are trusted by global brands.

Convenience retailers all over the world have engaged and rewarded consumers with our tailor-made loyalty programs.

To our case studies →

Liquid Barcodes
Liquid Barcodes
Liquid Barcodes
Liquid Barcodes

Convenience retailers all over the world have engaged and rewarded consumers with our tailor-made loyalty programs.

To our case studies →

Liquid Barcodes
Liquid Barcodes
Liquid Barcodes
Liquid Barcodes