Case Study

Privacy and Consent: Keeping a global membership rewards scheme on the right side of the law

This is the story of how we advised a huge global brand on how to manage downstream privacy and consent for 15 million membership rewards customers and built a Proof of Concept to validate our approach


How it started

When you’re one of the most recognisable brands in the world and you operate a membership rewards scheme across 43 separate companies and 60 partners on two continents, managing the personal data of your 15 million customers requires some expert guidance.

Something many people don’t really understand about the big brand names that we’re all familiar with is this: they’re often not all part of the same company. In many cases, they’re entirely separate companies who’ve either been acquired by the parent brand, or simply licensees of the brand in question.

This presents a hugely complex web of relationships to navigate when it comes to the appropriate management and sharing of customers’ personal data between the various companies using the brand name and the partner companies they work with.

When one enormous globally recognised brand wanted to revamp and expand their membership rewards scheme, they knew they needed expert advice on both compliance with global privacy regulations and the standards and technologies that could help to make is possible.

When they asked their usual advisors, the answer was: ask Onaware.

The Results

Successful Proof of Concept

The Proof of Concept we designed and delivered simulated the numerous permutations of brand and reward partner flows of personal data, including cross-border transfers and the differing privacy and consent requirements of different countries and other jurisdictions.

Design Review and Privacy and Consent Principles

The customer now has a set of design principles and privacy and consent best practices that enables them to maintain a level of data privacy and customer consent management that exceeds current regulatory requirements.

Personal data controlled by the individual

The brand’s flagship mobile application enables each rewards scheme member to manage each item of personal data associated with them. They can update/correct individual elements like address, gender, marital status etc. and approve or revoke the sharing of that specific piece of personal information with any brand or rewards partner at any time.

The Full Story

How did things work before?

It didn’t.

When the client came to us for help, we had the unenviable task of informing them that, as things stood, they were almost certainly in serious breach of a number of regulations related to data privacy and consent management, in multiple countries.

How did you help solve their privacy problem?

The design review we conducted immediately after that first meeting confirmed that they needed to make some serious changes to their plans for a global expansion and relaunch of their rewards programme.

Developing a proof of concept to model the flows of personal data across brand and rewards partners enabled the client project team to clearly demonstrate to their board that they were at regulatory and legal risk. This gave them the approval they needed to make changes to the design of the rewards programme infrastructure.

How does a member manage their personal data?

If the person has not previously approved the use of a piece of personal information by a particular brand or rewards partner, the application will present the details of any attributes where consent is missing and request that consent, detailing exactly the purpose, use and sharing of that specific information, allowing the user to choose how each element can be used and by which partner.

Placing granular consent for personal data in the hands of the member themselves delivers a privacy and consent management solution that exceeds the requirements of any current legislation.

The solution allows easy change and revocation of consent and ensures that any changes are reflected across every brand and rewards partner, with no burden on the client’s staff to manage the processing of such requests.

How does what you did change things?

Our deep understanding of global privacy and consent regulations enabled us to rapidly understand where the client was in breach, or at risk of breaching data privacy law.

This gave our consulting and development teams a blueprint from which to design and build a Proof of Concept reflecting the complex relationships and flows of personal data between the numerous brand and reward partners.

The client’s own project team used this Proof of Concept to gain strong support for significant change to the planned membership rewards programme expansion and redesign.

As this was an advisory engagement, our involvement concluded at the point where we reviewed and approved the proposed architecture, solution design and process models.

At the time of writing, the new membership rewards scheme and associated application have launched and are widely heralded as the standard by which other such programmes should be judged.