Skip to main content
Blog · United Kingdom

UK GDPR and loyalty programmes — the practical compliance guide

7 May 2026 · 8 min read

Plain-English guide to UK GDPR and the Data Protection Act 2018 for loyalty programmes. What you can collect, customer rights, ICO obligations, common mistakes.

← Back to blog

The UK has had GDPR-style data protection law since 2018. After Brexit, the EU GDPR was largely retained as „UK GDPR” alongside the Data Protection Act 2018, with the Information Commissioner’s Office (ICO) as the enforcement body. For a UK small business owner thinking about launching a loyalty programme, the natural worry is: „am I going to accidentally break GDPR and get fined?”

Good news: a well-designed digital loyalty programme actually makes GDPR compliance easier, not harder. This guide is the plain-English walkthrough — what you actually need to do, what most platforms quietly get wrong, and what realistic ICO enforcement looks like for a small business.

Does my loyalty programme count as „processing personal data”?

Yes. The moment you collect any data that can identify a customer — an email address, a name on a card, a phone number — you’re processing personal data under UK GDPR. This applies equally to:

  • A digital loyalty app where customers register with their email
  • A paper stamp card with the customer’s name on the front
  • A spreadsheet of email addresses you keep for marketing
  • A WhatsApp group of regulars

You become a data controller for that personal data. You have specific obligations to your customers and to the ICO.

What can you actually collect?

Core principle of UK GDPR: data minimisation. Only collect what you genuinely need to operate the loyalty programme.

Reasonable to collect:

  • Email address — needed for account confirmation and reward notifications
  • Points balance and transaction history within the programme
  • Date of birth — only if you offer a birthday reward (and only the day + month, not full year, unless legally required)

Don’t collect without specific reason:

  • Full name — only if you’ll address the customer by name
  • Phone number — if you communicate via the app, you don’t need a phone number
  • Home address — no legitimate purpose in a loyalty programme
  • Special category data (health, religion, sexual orientation, etc.) — absolutely never

The privacy notice — what to put in it

When a customer signs up to your programme, you must give them a privacy notice (Article 13 UK GDPR). It must include:

  • Identity of the data controller (your business name and address)
  • Contact details (email)
  • Purpose of processing (e.g., „running a loyalty programme”)
  • Legal basis (typically: consent — Article 6(1)(a))
  • Recipients of the data (e.g., the loyalty platform you use)
  • Retention period
  • Customer rights (access, rectification, erasure, portability, objection, withdrawal of consent)
  • Right to complain to the ICO
  • Whether providing data is mandatory
  • Whether data is transferred outside the UK/EU and any safeguards

Well-designed loyalty platforms (like Pointify) generate this notice automatically and show it during customer signup. You don’t need to write it yourself.

The data processing agreement (DPA) — non-negotiable

If you use a third-party loyalty platform, that platform is a data processor acting on your behalf. UK GDPR (Article 28) requires you to have a written contract with them — a Data Processing Agreement (DPA).

The DPA must cover:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller (you)
  • Confidentiality requirements on the processor
  • Security measures (encryption, access controls)
  • Sub-processor permissions
  • Assistance with subject rights requests
  • Procedures at end of contract (data return or deletion)

Pointify provides a standard DPA at business signup. If you’re evaluating any loyalty platform and they don’t offer a DPA, walk away — you can’t legally use them.

Where should the data live?

UK GDPR doesn’t require data to stay in the UK or EU specifically — but transfers outside „adequate” jurisdictions require additional safeguards (Standard Contractual Clauses, transfer impact assessments).

The simplest path: choose a loyalty platform that hosts data in the UK or EU. No transfer = no SCC paperwork = simpler compliance story to tell the ICO if asked.

Most US-based platforms (Square Loyalty, Smile.io, Yotpo) host data in US datacentres by default, requiring SCCs. Pointify hosts in the EU (AWS Frankfurt, eu-central-1) — no transfer outside the UK’s „adequate” list.

Customer rights and how to fulfil them

UK GDPR gives your customers concrete rights. You have 30 days from a written request to fulfil each:

  • Right of access (subject access request). Customer asks for a copy of their personal data. You must provide in a readable format.
  • Right to rectification. Customer asks you to correct inaccurate data.
  • Right to erasure („right to be forgotten”). Customer asks you to delete their account and data. You must comply unless you have a legal basis to retain (e.g., tax records).
  • Right to data portability. Customer asks for their data in a machine-readable format (JSON, CSV).
  • Right to object. Customer objects to processing for marketing or profiling.
  • Right to withdraw consent. Customer revokes their consent at any time.

Good loyalty platforms let customers self-serve most of these from inside the app — account deletion, data export, consent withdrawal. Pointify supports all of these from the customer-facing app, which means you don’t personally have to handle each request.

What enforcement actually looks like for a UK small business

The headline-grabbing GDPR fines (£100M+ on British Airways, Marriott, etc.) don’t apply to small businesses. The maximum fine is technically £17.5M or 4% of global turnover, but in practice ICO enforcement against small businesses follows a different pattern:

  • First-time complaint: usually a written warning + guidance from the ICO. No fine.
  • Failure to respond to ICO inquiry: £200–1,000 fine
  • Failure to fulfil subject access requests: £500–5,000 fine
  • Significant breach + delayed reporting: low-five-figure fines

The most common reasons UK small businesses get into trouble:

  • No DPA with third-party platforms processing customer data
  • Failing to respond to a subject access request within 30 days
  • No privacy notice at the point of data collection
  • Data breach not reported to the ICO within 72 hours
  • Marketing emails sent without separate consent

All of the above are avoidable if you choose a loyalty platform that handles them by default.

The PECR overlay — separate from GDPR

UK businesses also have to comply with the Privacy and Electronic Communications Regulations (PECR). PECR governs marketing emails and cookies. For a loyalty programme:

  • You can email loyalty members about programme matters (rewards, points balance) — this is „legitimate interest”.
  • You cannot email loyalty members marketing content for unrelated products without separate consent.
  • Cookies on your website require a cookie banner if you use anything beyond strictly necessary cookies.

Pointify’s marketing site has zero non-essential cookies, so the cookie banner question doesn’t arise. Your own business website is your responsibility.

Conclusion

UK GDPR shouldn’t be a reason to avoid running a digital loyalty programme — the right platform makes compliance simpler than running a paper system. Key principles: minimise data collected, host in the UK/EU, sign a DPA with the platform, give customers a clear privacy notice, support their rights from inside the app.

Pointify meets all of these by default. Full description in our privacy policy. If you have UK GDPR questions before launching, get in touch. More guides: best loyalty app for UK cafés, digital vs paper stamp cards, launch a loyalty programme in seven days.

Enjoyed this guide? See other articles or get in touch.