GDPR for exhibitors

For many exhibitors, the purpose of attending an exhibition is lead generation, the action of collecting business cards or contact details is therefore critical to that outcome. However the new GDPR regulations make it more difficult to simply use the data collected for marketing purposes.

Swapping cards at networking events

We all know you don’t go to a networking event without your business cards. Card swapping is a given at networking events but does the handover of your card give the recipient the right to store and use your data?

The Information Commissioner’s Office (ICO) states that consent should be “freely given, specific, informed and unambiguous”. Positive action has to have been taken to opt in.

In most cases, the act of giving someone a business card is a legitimate invitation for future communication but not an act of consent for general marketing. In other words, when someone gives you their business card, it is perfectly legitimate to follow this up with further information. You cannot however add their contact details to your marketing system or database. Why not? Simply because it is not a clear act of consent for particular processing purpose; the act of giving a business card is not a carte blanche to use their personal data for any purpose.

The business card draw

Most of us have, dropped our business card into a prize draw at a business event in the hope of winning a prize. Did we expect to be followed up with a sales email from the stand holder? Yes, probably, given that the setting was a business event and the company running the prize draw was clearly looking for new contacts and not just an excuse to be generous.

Unfortunately, under GDPR, the act of providing your personal data in this way quite clearly indicates consent for it to be used in connection with the prize draw only. They have not, however, given clear and unambiguous consent to be contacted about anything else. They have definitely not given consent for their details to be stored on a general database for an indefinite length of time.

Once the competition has ended and the prize claimed, the data should be securely deleted. It is worth noting however, that a consumer can complain to the Advertising Standards Authority (ASA) for 3 months post the promotion’s closing date. It is there recommended that the data controller maintain the sole copy of the data for the duration of this timeframe, then securely delete it.

So what CAN you do?

Think about how you collect the information and the the reason it was given to you.

• Get technical – Build a sign-up screen into your stand so people can give their details and their consent on the spot.
• Follow up with a contact information or with the results of the prize draw for example and ask them to give consent for further communications via an opt-in email enabling them to choose how and what communication they wish to receive (if any).
• Include clear and specific opt-in tick boxes on your contact forms or competition entry forms, enabling you to prove clear consent to follow up with appropriate marketing materials.
• Be creative about how you communicate or run your competitions, focus on getting people to follow you on social media for example. This is a great way to keep in touch with them, without the need to gain consent.

Finally, once you hold the attendee’s data, you’ll need to ensure it is retained securely and only for as long as necessary.

The Direct Marketing Association, a body of over 1000 B2B marketing firms and associated bodies, has produced a clear and extensive checklist for GDPR compliance; if you’re looking for specific advice on any stage of this process, that checklist is a good place to start.

Visit the ICO website for more information about GDPR.

Blog my Kingston Chamber of Commerce

Organisers of the Kingston Business Expo taking place on 4th July 2018

Disclaimer: This document is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR. This is not intended as legal advice, nor is it meant to convey legal facts or opinions. The contents of this document should not be relied upon in any particular situation, and the information presented here is not guaranteed to be correct, complete or up-to-date. No action should be taken in reliance on the information found here, and etouches disclaims all liability with respect to any acts or omissions based on the contents of this document. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues.