Most of us have, at some time, dropped our business card into a prize draw at a business event in the hope of winning an IPad, a bottle of good wine or some similar enticement. Did we expect to be followed up with a sales email from the stand holder? Yes, probably, given that the setting was a business event and the company running the prize draw was clearly looking for new contacts and not just an excuse to be generous.
Under GDPR, the act of sharing data in this way quite clearly indicates consent for those personal details to be used in connection with the prize draw. Does it also give the stand holder permission to use the same data for marketing purposes? And if so, for how long?
Before looking into this in more detail, let’s consider another scenario.
Card swapping and permission
Fairly recently I received an invitation to a networking event with the comment “bring plenty of business cards”. Card swapping is a given at networking events but does the handover of your beautifully branded card give the recipient the right to store and use your data?
Data exchange is part and parcel of exhibitions, conferences and networking events and as such it is covered by the new General Data Protection Regulation, which comes into effect in May. That means it needs to be considered as part of your GDPR policy.
The question of consent
The Information Commissioner’s Office (ICO) states that consent should be “freely given, specific, informed and unambiguous”. Positive action has to have been taken to opt in. On this basis, the business card and the prize draw are on dodgy ground. It would be fairly easy to argue that by putting a business card into a prize draw the entrant has consented to being contacted about the prize draw. They have not, however, given clear and unambiguous consent to be contacted about anything else. They have definitely not given consent for their details to be stored on a general database for an indefinite length of time.
In relation to the act of swapping business cards at a networking event, this has clearly been done with the intent of contacting one another in a business context. This means you can pretty safely rely on “legitimate interest” as grounds for using the information to get in touch. Consent has not been given, however, for you to go a step further and add the data to your IT systems and general company database.
With the thorny issue of consent now taken care of, let’s turn our attention to privacy notices. Under GDPR a privacy notice should be issued to the data subject at the time of data collection. Should you therefore attach a privacy notice to your “nice to meet you” email after collecting that business card at a networking event? I think most of us would agree that this might be a bit much in the context of a friendly follow up email. You could perhaps consider a line at the end of your email with a link to an online privacy notice. In an event setting, a clearly visible privacy statement at the point of business card handover is recommended.
Most organisations will need a privacy notice to comply with GDPR and the ICO has published guidance. In my role as employment law advisor to boards and senior management teams I am working closely with my clients to help them draft their own privacy notices to comply with the new data regulations. The focus is on being fair and transparent and taking into account the audience and the data processing systems. In short, the privacy notice should be as relevant and tailored to the organisation and its data subjects as possible.
Privacy notices are an important part of GDPR compliance and the point of this article is to remind everyone in business that data protection laws don’t just relate to the IT systems in your offices. Data can be collected in all sorts of different ways and even the unassuming business card should be scrutinised as you audit your data processes.
For help and advice on how to prepare for GDPR contact Boardside Tel: 01423 594 880