For many exhibitors, the purpose of attending an exhibition is lead generation, the action of collecting business cards or contact details is therefore critical to that outcome. However the new GDPR regulations make it more difficult to simply use the data collected for marketing purposes.
Swapping cards at networking events
We all know you don’t go to a networking event without your business cards. Card swapping is a given at networking events but does the handover of your card give the recipient the right to store and use your data?
The Information Commissioner’s Office (ICO) states that consent should be “freely given, specific, informed and unambiguous”. Positive action has to have been taken to opt in.
In most cases, the act of giving someone a business card is a legitimate invitation for future communication but not an act of consent for general marketing. In other words, when someone gives you their business card, it is perfectly legitimate to follow this up with further information. You cannot however add their contact details to your marketing system or database. Why not? Simply because it is not a clear act of consent for particular processing purpose; the act of giving a business card is not a carte blanche to use their personal data for any purpose.
The business card draw
Most of us have, dropped our business card into a prize draw at a business event in the hope of winning a prize. Did we expect to be followed up with a sales email from the stand holder? Yes, probably, given that the setting was a business event and the company running the prize draw was clearly looking for new contacts and not just an excuse to be generous.
Unfortunately, under GDPR, the act of providing your personal data in this way quite clearly indicates consent for it to be used in connection with the prize draw only. They have not, however, given clear and unambiguous consent to be contacted about anything else. They have definitely not given consent for their details to be stored on a general database for an indefinite length of time.
Once the competition has ended and the prize claimed, the data should be securely deleted. It is worth noting however, that a consumer can complain to the Advertising Standards Authority (ASA) for 3 months post the promotion’s closing date. It is there recommended that the data controller maintain the sole copy of the data for the duration of this timeframe, then securely delete it.
So what CAN you do?
Think about how you collect the information and the the reason it was given to you.
Finally, once you hold the attendee’s data, you’ll need to ensure it is retained securely and only for as long as necessary.
The Direct Marketing Association, a body of over 1000 B2B marketing firms and associated bodies, has produced a clear and extensive checklist for GDPR compliance; if you’re looking for specific advice on any stage of this process, that checklist is a good place to start.
Visit the ICO website for more information about GDPR.
Blog my Kingston Chamber of Commerce
Organisers of the Kingston Business Expo taking place on 4th July 2018
Leave a Reply
You must be logged in to post a comment.