I am certain that there is likely to be nobody reading this blog who has never been to a trade fair or industry event. Huge gatherings of like-minded individuals, peers or even just the curious jostle past one another, between extravagant stands paid for vendors promoting their wares.
The cost of such events is justified by the lead data which is acquired en masse via business card exchange and the scanning of visitor name badges, something sales teams hope to capitalise on later down the line. All that personal data and a well known European data protection regulation are sure to cross paths in dramatic style, post May 2018.
Event Organisers and Terms and Conditions under GDPR
Unsurprisingly, events are run by event organisers, take for example Europe's largest IT security event, InfoSecurity Europe in London run by Reed Exhibitions. On past occasions when registering for an entry badge, you may have noticed a number of check-boxes agreeing to terms and conditions before booking.
The current registration form, much like other such events, relies on the Data Protection Act of 1998. It is not particularly clear what is being consented to, yet it can be assumed that at a basic level that it involves adding your personal data to a registry for entry and sending you a badge. In addition, further marketing is assumed consensual unless opted-out by ticking boxes to indicate so.
The GDPR (General Data Protection Regulation) requires some change here, firstly data subjects must consent to each processing purpose for which their personal data is subject to; this purpose or these purposes must be both clear and unambiguous. Secondly consent can never be assumed and must only ever exist in an explicit form; ticking a box to prevent processing is not permitted by the GDPR.
This doesn't mean that event organisers cannot share personal data with their exhibitors, this would destroy the purpose of the event from the exhibitors perspective. Rather data subjects must be aware that their personal data may be shared, for what purpose and be asked for consent in doing so. As a result, there are likely to be some visitors whom, even if you scan their badge, you are unlikely to receive their contact information from the event organiser, should they not consent to the transfer of their personal data between the organiser and the exhibitor.
It is also worth noting that Reed Exhibitions themselves would be able to continue to process personal data for direct marketing purposes without consent, using the legitimate interests as their lawful case. This would not work for exhibitors as legitimate interests in the case of a personal data transfer to a third-party is not likely to be seen as fair to the rights of data subjects in a balance test.
Note: The GDPR is related to the processing of personal data and not specifically communication, this currently comes under the PECR (Privacy and Electronic Communications Regulation). This topic is outside of the scope of this blog post but should be consulted if any personal data processing involves communicating with data subjects, as it most likely would when used for marketing.
Exhibitors, Badge Scanners and Business Cards
In the case of the exhibitor, the purpose of attending such industry events and trade shows are for lead generation. The action of collecting business cards or scanning badges is critical to that outcome.
Business cards are not a dying breed, at least not because of data protection regulation. The act of giving someone a business card is not an act of consent for general marketing but does act as a invite for communication. In other words, when someone gives you their business card, it is perfectly legitimate to contact them subsequently and offer them further information. What you cannot do is copy and paste their contact details into your marketing system. Why not? Simply because it is not a clear act of consent for particular processing purpose; there is no carte blanche ability to use that personal data.
Fast-forward to something more modern, like those handy little scanners the event organisers now rent to exhibitors. Why complete lead sheets or collect business cards when you can just scan a barcode and be sent a huge list of prospects afterwards? It certainly sounds like a marketeers dream.
Well again there is no need to retire this practice so long as the event organiser has gained consent to pass data subjects personal data onto an exhibitor, at the point of registration. If this consent is not given, then no amount of scanning should add that data subject to a list. Again much like the business card, the purpose of processing must be listed and must be stuck to. You cannot just do with the data as you please. There is a good reason why a significant number of event attendees give false information; to avoid the aftermath.
Event Organisers Transferring Personal Data to Exhibitor
Your stand was popular and you eagerly await the list of scanned badges which the event organiser is busy preparing. Great news but at the top of the list on both parties concerns should be how to both securely transport the personal data between each other and how to store and process it.
Personally, I have witnessed many an event organiser simply email a spreadsheet of personal data to a nominated exhibitor contact. This will not do, email encryption and managed file transfer solutions should be used to guarantee the confidentiality and integrity of their transfers. On top of this, personal data in spreadsheets, or any other file type for that matter, should not be left on a laptop or shared folder for all to access and view. Any act of access or storage is considered processing under the GDPR and thus affords a level of protection.
The Show Must Go On
Despite what you may have heard or assumed, events of this nature will continue. There is no need to shut shop or demand your deposit back from the next event you have planned to exhibit at. Event organisers are going to have to change their sign-up process and exhibitors may end up with less at the end of the event but it is all for good reason.
After all, we are all data subjects and we would all prefer to have our personal data respected and used sensibly. Point in case are those who as mentioned before, would go to the length of signing up with false data just to avoid contact. Wouldnt it save everybody's time if you could just not opt-in in the first place?