<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Lead Acquisition at Events, GDPR Style

Topics: Data Protection, GDPR, General Data Protection Regulation, Lead Acquisition

Posted: 28 February 2018

Lead Acquisition at Events Trade Shows Conferences Exhibitions GDPR

I am certain that there is likely to be nobody reading this blog who has never been to a trade fair or industry event. Huge gatherings of like-minded individuals, peers or even just the curious jostle past one another, between extravagant stands paid for vendors promoting their wares.

The cost of such events is justified by the lead data which is acquired en masse via business card exchange and the scanning of visitor name badges, something sales teams hope to capitalise on later down the line. All that personal data and a well known European data protection regulation are sure to cross paths in dramatic style, post May 2018.

Event Organisers and Terms and Conditions under GDPR

Unsurprisingly, events are run by event organisers, take for example Europe's largest IT security event, InfoSecurity Europe in London run by Reed Exhibitions. On past occasions when registering for an entry badge, you may have noticed a number of check-boxes agreeing to terms and conditions before booking. 


The current registration form, much like other such events, relies on the Data Protection Act of 1998. It is not particularly clear what is being consented to, yet it can be assumed that at a basic level that it involves adding your personal data to a registry for entry and sending you a badge. In addition, further marketing is assumed consensual unless opted-out by ticking boxes to indicate so.

The GDPR (General Data Protection Regulation) requires some change here, firstly data subjects must consent to each processing purpose for which their personal data is subject to; this purpose or these purposes must be both clear and unambiguous. Secondly consent can never be assumed and must only ever exist in an explicit form; ticking a box to prevent processing is not permitted by the GDPR.

This doesn't mean that event organisers cannot share personal data with their exhibitors, this would destroy the purpose of the event from the exhibitors perspective. Rather data subjects must be aware that their personal data may be shared, for what purpose and be asked for consent in doing so. As a result, there are likely to be some visitors whom, even if you scan their badge, you are unlikely to receive their contact information from the event organiser, should they not consent to the transfer of their personal data between the organiser and the exhibitor.

It is also worth noting that Reed Exhibitions themselves would be able to continue to process personal data for direct marketing purposes without consent, using the legitimate interests as their lawful case. This would not work for exhibitors as legitimate interests in the case of a personal data transfer to a third-party is not likely to be seen as fair to the rights of data subjects in a balance test.

Note: The GDPR is related to the processing of personal data and not specifically communication, this currently comes under the PECR (Privacy and Electronic Communications Regulation). This topic is outside of the scope of this blog post but should be consulted if any personal data processing involves communicating with data subjects, as it most likely would when used for marketing.

Exhibitors, Badge Scanners and Business Cards

In the case of the exhibitor, the purpose of attending such industry events and trade shows are for lead generation. The action of collecting business cards or scanning badges is critical to that outcome.

Business cards are not a dying breed, at least not because of data protection regulation. The act of giving someone a business card is not an act of consent for general marketing but does act as a invite for communication. In other words, when someone gives you their business card, it is perfectly legitimate to contact them subsequently and offer them further information. What you cannot do is copy and paste their contact details into your marketing system. Why not? Simply because it is not a clear act of consent for particular processing purpose; there is no carte blanche ability to use that personal data.

Fast-forward to something more modern, like those handy little scanners the event organisers now rent to exhibitors. Why complete lead sheets or collect business cards when you can just scan a barcode and be sent a huge list of prospects afterwards? It certainly sounds like a marketeers dream.

Well again there is no need to retire this practice so long as the event organiser has gained consent to pass data subjects personal data onto an exhibitor, at the point of registration. If this consent is not given, then no amount of scanning should add that data subject to a list. Again much like the business card, the purpose of processing must be listed and must be stuck to. You cannot just do with the data as you please. There is a good reason why a significant number of event attendees give false information; to avoid the aftermath.

Event Organisers Transferring Personal Data to Exhibitor

Your stand was popular and you eagerly await the list of scanned badges which the event organiser is busy preparing. Great news but at the top of the list on both parties concerns should be how to both securely transport the personal data between each other and how to store and process it.

Personally, I have witnessed many an event organiser simply email a spreadsheet of personal data to a nominated exhibitor contact. This will not do, email encryption and managed file transfer solutions should be used to guarantee the confidentiality and integrity of their transfers. On top of this, personal data in spreadsheets, or any other file type for that matter, should not be left on a laptop or shared folder for all to access and view. Any act of access or storage is considered processing under the GDPR and thus affords a level of protection.

The Show Must Go On

Despite what you may have heard or assumed, events of this nature will continue. There is no need to shut shop or demand your deposit back from the next event you have planned to exhibit at. Event organisers are going to have to change their sign-up process and exhibitors may end up with less at the end of the event but it is all for good reason.

After all, we are all data subjects and we would all prefer to have our personal data respected and used sensibly. Point in case are those who as mentioned before, would go to the length of signing up with false data just to avoid contact. Wouldnt it save everybody's time if you could just not opt-in in the first place?

Prepare for GDPR 11 step checklist

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts