Your exhibition booth has arrived safely to the trust and estate conference in Europe. You have a stack of business cards packed in your bag. You have a private cocktail party planned for potential clients. Missing anything? Yes, your GDPR strategy.
GDPR
The General Data Protection Regulation (GDPR) is a European Union (EU) legal regime that provides a consumer rights regarding her personal data. The onus is on businesses to protect EU citizens’ privacy and personal data.
A U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR. It does not matter whether the U.S. business has any offices or operations in the EU.
Opt-In
The GDPR requires that your potential EU client provide specific consent for the use of her personal data. Personal data includes name, phone number, email address, social media profiles, photos and videos.
The fact that a potential client shows interest in your services at the conference and provides you her name is not a free pass to subsequently put her on your mailing list or otherwise market your services to her. You must obtain written consent which indicates the specific purposes her data will be used.
The GDPR is an opt-in regulation. Your potential client must opt in to both the data you collect and the purposes for which you will use the data. This can be accomplished using a registration form that:
Requests personal data;
Lists specific purposes for data use with tick boxes; and
Requires a signature.
For both GDPR and marketing purposes, the form should also include the name and date of the conference.
Dual Citizen
A large conference in Europe will attract people from around the world. As a best practice, assume all attendees are EU citizens and request potential clients to complete a registration form.
The person with the American accent could be a dual citizen or be a citizen of a single EU country. (Just a reminder how far Americans lag behind the EU in learning a second language: 20% of Americans learn a foreign language whereas the EU median average is 92%).
Badges
Some conference organizers adopt an opt-in process through an attendee’s badge barcode. The idea is that the attendee selects how her data can be used through the conference registration process. If the attendee does not opt in to specific uses of her data then the badge barcode will reflect this.
The concept is great but your organization would then be relying on the conference organizer’s GDPR processes. Do you know if the badge accurately reflects the attendee’s selections? Perhaps the attendee did not opt in to a particular use of her data but is so enamored with your pitch, she is agreeable to your using her data for an additional purpose.
Solution: request the potential client complete your registration form.
Business Cards
An exchange of business cards is not explicit consent. You need to be able to demonstrate the context, time and source of the data collection. If an attendee gives you her card, you must follow up to obtain consent prior to sending her information.
This can be accomplished through a follow up e-mail: Nice to meet you. Thank you for stopping by our booth. The e-mail should include specific opt-ins at the bottom of the email as well as a link to your organization’s privacy policy.
Tablet v Paper
From a GDPR perspective, the difference between using paper or tablet registration form at your booth revolves around security. The GDPR requires controllers and processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Business cards are low risk and can be thrown in your bag. Registration forms may be high risk depending on the collected data. It is likely that you can achieve higher security for the data with a tablet than traveling with or shipping a stack of paper.
Record Keeping
Your organization’s GDPR compliance program should include record keeping processes. It is important to be able to demonstrate that the individual provided consent for specific purposes and that you have not exceeded those purposes. The records should also include the date of consent and the context in which the consent was obtained.
Next Steps
Prior to sending staff to an EU conference think through your GDPR strategy:
Decide what data should or should not be collected.
Create a registration form.
Create a standard e-mail to send to potential clients who only provide business cards.
Train management team and staff.
Create a data protection plan or review and update existing data protection plan.
For assistance, please contact me via my contact page or at elizabeth@elizabethmcmorrowlaw.com.