How to Keep Your Prize Promotion Data Protection Compliant

Cyber-hacking and data theft have more than once made the headlines this year, most notably due to companies not having an adequate level of protection in place. TalkTalk received a record £400,000 fine by the ICO last year after failing to implement sufficient cyber security measures, leading to the personal data theft of almost 157,000 customers. The NHS cyber-attack in May this year was deemed to be partly caused due to outdated platform systems and weak passwords. And with upcoming changes to data protection laws, the EU’s General Data Protection Regulation (GDPR) coming into force in the UK on 25 May 2018, brands must ensure they have sufficient measures in place in order to comply.

Data protection is not only applicable to big companies and brands. Anyone storing data and processing data much also abide by GDPR. So, if you’re running a prize promotion this applies to you, too. Here are a few points you must take into account when organising a prize draw or competition.

1. Consent. You must obtain consent from entrants in order to contact them post promotion such as emailing a newsletter. This must be freely given and via a clear, affirmable action. Presumably, if individuals are entering a prize draw, they agree to be contacted if they have won. HOWEVER, you must make it clear to all entrants how you intend to use their data upon point of entry. Any specified purpose(s) must be clearly set out in the Ts&Cs, and any third parties processing the data (also known as data processors) must be named. Also check you have a privacy policy in place which is up-to-date. If you wish to use entrants’ information to contact them post-promotion, as a monthly newsletter for example, you must obtain a positive opt-in from them, such as a box for them to tick at point of entry, with the intention clearly set out. Pre-ticked and opt-out boxes are a big no-no.
2. Encryption: All electronically held data must be encrypted. At all times. If you are collecting data to share with a prize fulfilment agency, do not send this without a maximum of protection. Always password-protect the personal information you hold, using a mixture of upper and lowercase letters, numbers and special characters. The harder you make it, the harder it is to crack. Share your files via secure transfer only. Never send a password along with a file, provide this separately, preferably via phone. Data should be stored on a secure and encrypted server. ie not your desktop or BYOD (Bring Your Own Device) which increase the risk of data theft. Access to these files should only be provided to employees who need it to fulfil the purpose(s). Ensure your company’s computers all have an up-to-date anti-virus, with the latest security updates installed to cover vulnerabilities.
3. Data sharing agreement: if you are liaising with a third-party agency for prize fulfilment, please ensure you have a written data processing contract in place with them. This will once again reiterate the purpose(s)s for which they will be processing the data, ensure its protection, and confirm when they will be destroying it. Personal data must be processed fairly and lawfully, and not be processed for any other purpose(s) than the one(s) communicated to individuals at point of entry.
4. Destroying data: personal data should not be kept for any longer than necessary. Depending on the number of winners and nature of the prizes you are giving away, all prizes may be claimed within a few days, or a few weeks. Data processors should securely delete the data once they have achieved the specified purpose(s). It is worth however taking into account that a consumer can complain to the Advertising Standards Authority (ASA) for 3 months post the promotion’s closing date. In the case where prizes are fulfilled rather rapidly, it is recommended that the data controller maintain the sole copy of the data for the duration of this timeframe, then securely delete it.
5. International transfers: if you are planning on running an international prize promotion, with a number of participating countries worldwide, you must do so within the Data Protection Act guidelines. Currently, data should not be transferred to any country outside the European Economic Area (EEA) unless that country guarantees an acceptable level of protection for the individuals whose data will be processed. Come GDPR, transfers outside of the EU may be made where the Commission has decided that a third country, territory or specific sector of a third country ensures an adequate level of protection. Appropriate safeguards must also be in place between the data controller and data processor.

Much has been reported in recent months on GPDR, accuracy along with miscommunication, which can be rather disconcerting. Do not be dismayed. The ICO has a great selection of articles sorting facts from fiction, which you can check out HERE. And if we can assist with a prize promotion you are running, please drop us a line at hello@prizeology.com.

© Prizeology and The Prizeologist Blog, 2018. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited.