On the 25th May 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Act (DPA).
The aim was to give individuals more control over how their personal data is used and for businesses to be more transparent in how that data is processed.
With the help of an expert, we've answered some FAQs on how this will affect data collection at events
What is the GDPR impact on registration forms?
Forms must only ask for personal data that is needed. Asking for data on the basis that it may be useful later is not allowed. To meet the transparency requirements, various information including contact details about the data controller, how long data will be kept for, what the data will be used for, if data will be passed to third parties to validate what they are entering and whether data will be passed outside the EEA etc. has to be given at the time data is collected.
This information needs to be clearly provided and cannot be ‘hidden’ in your terms and conditions. You also cannot use terms and conditions on tickets to impose new data conditions.
What do I need to change?
Make sure you have tick boxes to allow opt-in consent for ongoing direct marketing, passing data to third parties etc. There should also be tick boxes to allow the relevant contact method(s) to be selected: email, phone, SMS or post. The ICO has produced a document on forms and examples of text https://ico.org.uk/media/for-organisations/guide-to-dataprotection/privacy-notices-transparency-and-control-1-0.pdf
As the GDPR requires data to be secure, online forms must be on a secure connection; the URL of the page needs to start with HTTPS. Putting all pages of a site on a secure connection is a good idea.
What impact does GDPR have on scanning badges at an event?
1. Entering an event
Confirming who attends an event is a legitimate interest for an event organiser so is ok.
2. On stands
Individuals must have some control over having their badge scanned and be aware of who is doing the scanning. Ask before scanning it and do scans on a stand. Information details (referenced above) need to be provided on the stand about the data controller, how long data will be kept for etc. This should be given out when scanning is done, but in practice this is likely to be difficult/time consuming so send one follow-up email referencing this data information and ask what type of information or services the individual is interested in before using their details.
If an individual complains that scanning is done without their permission, the data controller – the company doing the scanning – would be liable for any fines.
3. Breakout sessions and seminars
Scanning of badges when an individual attends a breakout session or seminar is likely to be covered under the legitimate interest of the sessions/seminar organiser.
Can we ask for business cards to go into a prize draw at an event?
The use of a ‘fish bowl’ to collect business cards to go into a prize draw is allowed providing the details are not to be used for another purpose, e.g. added onto an email list. After selecting the winner(s) of the draw, legitimate interest could be used to send an email informing everyone who provided a card of the winner(s).
Full details of the winner(s) should not be given as that would be a data protection issue! The email can include a link to allow them to consent to future newsletters. Delete the details of anyone thatdoes not give consent.
Be sure to subscribe to our monthly blog with expert tips on exhibiting
If you have questions about GDPR regulations and it's affect on your exhibition, speak to one of our experienced Project Managers today. Ask about our free design and cost consultation on your stand, use the contact form or call us on 01527 510 154.
**** LEGALLY CHECKED BY LEE & THOMPSON LLP ****
This article does not constitute any legal advice and you should consult with a registered Data Officer that your activities remain compliant.