Mastering GDPR: Navigate Through The Tricky Laws Adeptly

In 2018, the European Union introduced the General Data Protection Regulation (GDPR), a pivotal set of rules designed to safeguard consumer rights and protect their personal data. 

These regulations are stringent and impose strict requirements on companies when it comes to the collection, processing, and deletion of personal data, including emails and cookies used for retargeting on websites.


At the heart of GDPR are five fundamental principles:

  1. Lawfulness, Fairness, and Transparency: All data processing must be carried out within legal boundaries, with fairness and transparency as guiding principles.
  2. Purpose Limitation:Data collection must have a clear, specified, and legitimate purpose.
  3. Data Minimization:Companies should only collect data necessary for the intended purpose, avoiding excessive data gathering.
  4.  Accuracy:It is imperative to maintain accurate and up-to-date data.
  5.  Storage Limitation, Integrity, and Confidentiality:Data should only be retained for the necessary duration, stored securely, and treated with the utmost confidentiality.
  6.  Accountability:Organisations are held responsible for their own data practices and those of their vendors, even when using cloud-based services.


GDPR encompasses a comprehensive checklist of 12 key points, compliance is a vital aspect of business operations.

For your company operating as an FMCG business, running campaigns in the EU using consumer 1st party data, GDPR compliance isn’t merely a legal obligation; it’s a cornerstone for your business’s survival. 

Protecting your consumers’ data and privacy is not just a legal requirement; it’s a crucial element of trust-building. Adhering to GDPR demonstrates your commitment to transparency and respect for your customers’ personal information.

In this article, we’ll provide you with the essential insights to navigate the intricacies of GDPR, ensuring your business thrives in an era where data protection is paramount.

Compliance Is Irreparable for FMCG Giants

The importance of GDPR compliance cannot be overstated for these industry leaders. First and foremost, FMCG companies are data powerhouses. They’re gathering and processing extensive consumer information through different channels & sources including 1st party sources like consumer receipts.

GDPR sets forth stringent rules for data protection, necessitating explicit consent for data collection and demanding uncompromising security measures for data storage and transmission. Non-compliance, in this fiercely competitive arena, can translate to more than just fines – it can mean a damaged reputation and the loss of priceless customer trust.

Moreover, FMCG companies often have a global footprint, so they must adeptly navigate the intricate landscape of international data protection regulations.

GDPR, with its high data protection standards, serves as both a guide and a benchmark. Compliance not only ensures adherence to European regulations but also establishes a robust framework for a company’s global data protection practices.

In essence, GDPR is a pivotal driver for FMCG companies, offering the dual benefits of data security and a competitive edge in a world where consumer trust is paramount.

This simplifies data management and ensures that companies are prepared to adapt to other emerging data protection laws worldwide. Ultimately, GDPR compliance is not just a legal obligation but a strategic business imperative for FMCG companies. It safeguards customer trust, mitigates risks, and fosters responsible data management practices in an increasingly data-driven industry.


Data Protection For Brand Activations

FMCG (Fast-Moving Consumer Goods) companies engaging in brand activations while handling GDPR must navigate several potential pitfalls to ensure compliance and protect consumers’ personal data. Here are some common challenges and pitfalls they may encounter:

  1. Data Security Risks: Storing and processing vast amounts of consumer data from consumers can make FMCG companies susceptible to data breaches or leaks. Insufficient security measures can lead to unauthorised access, putting consumer data at risk.
  2. Consent and Transparency: Obtaining explicit consent for processing data collected from consumers can be challenging. Ensuring consumers are fully aware of what data is collected, how it will be used, and their rights can be complicated.
  3. Data Minimisation: FMCG companies must collect only the data necessary for the purpose of their campaign. Over-collecting data can lead to GDPR non-compliance, as consumers may question the relevance of certain information to their purchases.
  4. Data Subject Rights: Managing data subject requests, such as access, rectification, or erasure, can be complex. FMCG companies must have efficient procedures in place to respond promptly to such requests and verify the data subject’s identity.
  5. Data Retention Time: Establishing clear data retention policies for consumer data is essential. Keeping data longer than necessary for campaign purposes can lead to GDPR violations. However, ensuring compliance while maintaining data for audit or legal purposes can be challenging.
  6. Third-Party Processing: If FMCG companies engage third-party service providers for receipt processing campaigns, they must ensure these vendors comply with GDPR. This involves thorough vetting, contractual agreements, and audits to guarantee data protection.
  7. Cross-Border Data Transfers: Handling data across multiple countries within the EU and EEA can be complex. FMCG companies must be aware of cross-border data transfer restrictions and ensure data is adequately protected in such cases.
  8. Data Mapping and Inventory: Maintaining a comprehensive record of all collected, processed, and stored data is essential for GDPR compliance. Not having a clear inventory can lead to oversights and non-compliance.
  9. Data Breach Notification: FMCG companies must have procedures in place to notify both data protection authorities and affected individuals of data breaches within 72 hours. Failing to report violations promptly can result in severe penalties.
  10. Legal Jurisdiction and Jurisprudence: FMCG companies must stay abreast of evolving GDPR regulations and legal interpretations, which can vary across EU member states. Failing to adapt to changing regulations and court decisions can result in compliance lapses.
  11. Consumer Trust: Mishandling consumer data can erode trust. FMCG companies must maintain a positive brand image by committing to data privacy and security.


To address these challenges, FMCG companies should conduct thorough data protection impact assessments, implement robust security measures, and seek legal counsel to ensure GDPR compliance in their brand activations. Regular monitoring, audits, and updates to policies and procedures are essential to mitigate these potential pitfalls.


Acquire Consumer Data Through Receipts, With Full GDPR Compliance

We use our receipt processing engine to acquire 1st party consumer data for our partners, within full compliance of GDPR. Here’s how the process works. We utilise brand activations to incentivise consumers to participate through rewarding them for marketing actions that they commit. The marketing action tends to be purchasing, and we use our receipt processing engine to validate that the consumer has purchased the brand’s product. 

The consumer simply buys the brand’s campaign product, then participates through uploading their purchase receipt to the campaign platform. Our engine then validates or rejects the participation through the receipt, then rewards the consumer. That’s how the campaign journey works. Behind the curtains, the receipt processing engine extracts all the shopper insights from the receipts, this information mixed with the personal data the consumer has submitted by participating is collected and transferred to the database. All data is collected under the brand’s ownership in compliance with GDPR & Justsnap processes the raw data under the permission of “data processor” with accordance to GDPR. This is how we enrich our partners’ CRM systems. 

Key Points for GDPR Compliance

Here are the key points that we adhere to, as our partners’ designated data processor, in order to keep compliant to GDPR.


Data Collection:

  1. Consent: We ensure to obtain explicit and informed consent from individuals before collecting their personal data. Consent should be clear, specific, and revocable, allowing individuals to change their preferences anytime.
  2. Transparency: Transparency is paramount. We provide easily understandable privacy notices on online campaigns, detailing what data is collected, why it’s collected, and how it will be used. We clearly state the legal basis for processing the data.
  3. Data Minimisation: We only collect the strictly necessary data for the purpose at hand. Avoid gathering excessive or irrelevant information. 


Data Processing:

  1. Lawful Basis: We ensure that there is a lawful basis for processing personal data. This could be consent, the necessity of fulfilling a contract, legal obligations, vital interests, performing tasks in the public interest, or legitimate interests. Data should only be used for the specific purpose for which it was collected.
  2. Data Security: We are responsible for implementing robust technical and organisational measures to safeguard personal data from breaches and unauthorised access. This may involve encryption, access controls, and regular security assessments to protect consumer data collected through online campaigns.
  3. Data Subject Rights: We’re prepared to facilitate data subject rights, including the right to access, rectify, restrict processing, and object to processing. Have established procedures to respond promptly to data subject requests. FMCG companies may often receive requests related to data correction, opting out of future marketing campaigns, or data portability.

 Data Deletion:

  1. Data Retention Policies: We establish clear data retention policies outlining how long personal data will be retained. Data should not be kept longer than necessary for the specific purposes for which it was collected. 
  2. Right to Erasure (Right to Be Forgotten): Data subjects have the right to request the deletion of their data under certain circumstances. We have well-defined processes in place to respond promptly to such requests. Personal data should be securely and permanently deleted when it is no longer needed, which is particularly crucial in the FMCG sector, where consumer preferences and relationships evolve rapidly.
  3. Data Backup: We ensure that data deletion extends to removal from backup systems and archives. This is critical to fully comply with the right to erasure, even if you must maintain data for legal or regulatory reasons.


In conclusion, FMCG marketers engaging in data based marketing strategies must prioritise GDPR compliance in data collection, processing, and deletion. Failing to do so can result in substantial fines and damage to the brand’s reputation. By respecting these principles, FMCG companies can build trust with consumers and operate within the bounds of data privacy laws, ultimately enhancing their digital marketing strategies.

Necessary Data for GDPR Compliance

In the landscape of Fast-Moving Consumer Goods (FMCG) campaigns utilising receipt processing technology, the General Data Protection Regulation (GDPR) plays a pivotal role in safeguarding personal information within the European Union and the European Economic Area (EEA). Receipt processing technology often involves the collection, processing, and storage of personal data, making it essential to understand the types of data involved and GDPR’s stringent regulations:

  1. Basic Identity Information: In FMCG campaigns using receipt processing technology, personal data often includes fundamental details such as a person’s name, address, phone number, and email address. This data may be extracted from receipts and used to build consumer profiles and facilitate marketing efforts.
  2. Identification Numbers: Personal identification numbers, like national identification numbers or loyalty program IDs, can be part of the data collected. They are categorized as personal data and must be treated with care in compliance with GDPR.
  3. Financial Information: Receipts may contain sensitive data such as bank account numbers, credit card information, or transaction details. This financial information is vital for processing payments and may require heightened security measures.
  4. Product Preferences and Behaviour: Receipt processing technology often captures data on consumers’ product preferences and purchasing behaviour, which can be used to tailor FMCG campaigns. This data is considered personal data under GDPR.
  5. Location Data: Some receipt processing technologies may also capture location data, indicating where transactions occurred. This information can be linked to individuals and falls within the scope of GDPR.


Do FMCG companies need to hire a Data Protection Officer

FMCG (Fast-Moving Consumer Goods) companies typically do not fall into the mandatory categories for appointing a Data Protection Officer (DPO) under GDPR. These mandatory categories are more often associated with public authorities, organisations engaged in large-scale systematic monitoring, or those processing sensitive data on a large scale.

However, FMCG companies may voluntarily choose to appoint a DPO to enhance their data protection and privacy efforts, even if they are not required to do so by law. This proactive approach can help them demonstrate their commitment to safeguarding individuals’ privacy and ensure compliance with GDPR, especially considering they handle significant amounts of consumer data.


What are the penalties if companies do not abide to GDPR

The General Data Protection Regulation (GDPR) imposes significant penalties for non-compliance. The penalties for GDPR non-compliance can be divided into two categories: administrative fines and other enforcement actions. The severity of the penalty depends on the nature and extent of the violation. 


 Administrative Fines: GDPR allows supervisory authorities in each EU member state to impose fines for non-compliance. The maximum fines are substantial and can be applied in two tiers:

  1. Lower Tier:For less severe violations, the fine can be up to €10 million or 2% of the company’s global annual revenue, whichever is higher.
  2. Upper Tier:For more severe violations, the fine can be up to €20 million or 4% of the company’s global annual revenue, whichever is higher.
  • The specific fine amount within these limits is determined based on factors such as the violation’s nature, the violation’s duration, the number of data subjects affected, and whether the organisation cooperated with authorities during the investigation.


 Other Enforcement Actions:

  • In addition to fines, supervisory authorities can take various enforcement actions, including issuing warnings and reprimands, ordering data rectification or erasure, suspending data transfers, or temporarily or permanently banning data processing activities.
  • Data subjects also have the right to seek compensation for damages resulting from non-compliance with GDPR.


It’s important to note that GDPR ensures strong data protection and privacy practices. Organisations are encouraged to proactively comply with GDPR’s requirements to protect the personal data of individuals and avoid these potentially severe penalties. Penalties for GDPR non-compliance are intended to be a deterrent to encourage organisations to take data protection seriously and uphold the rights of data subjects.