GDPR and Events – One Month In
‘Oh no’ I hear you cry! Yes, sorry, it is yet another blog on the General Data Protection Regulation (GDPR). I imagine, like me, most people are suffering from an overload of information or the relentless and largely unnecessary number of ‘Please can we still contact you’ emails that flooded inboxes in the run up to the deadline, so I will keep this short.
It’s currently a month since the GDPR came into force, so what has happened? Well the world is still spinning and businesses continue to operate, however, complaints have been filed against some of the big tech companies such as Facebook and WhatsApp. Some US based companies took the rather drastic approach of simply blocking or removing services from all EU users rather than to try and comply with the regulations.
Being part of Jonas Software has allowed us to undertake an on-going large scale cross company project working with a highly reputable law firm to ensure we are compliant (well as compliant as we can be for now…). I don’t believe any company can claim to be 100% compliant, it is an ongoing process, especially in the early days. The Information Commissioners Office (ICO) have said they are not looking for perfection immediately but are looking for commitment and evidence of the actions companies have taken to be compliant.
It feels like a long old trudge from when the GDPR was first announced to a definite sprint finish trying to complete all the elements being worked on! However that’s not the end of the race as you need to review, learn and improve as part of a continuing process. One of the first key steps we took was to implement new onsite database architecture, and large investment in new onsite laptops to ensure we could encrypt the data. We have revamped many policies, procedures and training programs, but these will still need regularly auditing to ensure they are fit for purpose.
From talking to our clients it became apparent that many had data stored all over the place in various sheets or bits of software and they wanted a data store where their visitors could securely access and update their details or preferences, and they could export data from campaigns. Off the back of this we have developed JET Data, which not only fulfils those requirements but it also has a live feed of data directly from our online registration forms to keep your database up to date.
Electronic Lead Capture
We have had some concern from both organisers and exhibitors over whether scanners and barcodes can still be used at exhibitions for lead capture. In our view they absolutely can, so let’s look at the process.
The visitor will have been informed as part of the registration process what having their badge scanned means and no visitors are forced to have their badge scanned by an exhibitor.
The visitor should expect that by allowing their badge to be scanned their details will be processed by that exhibitor or sponsor.
In terms of the lawful basis of processing it could be consent, with the affirmative action being the decision to allow your badge to be scanned. Alternatively, it could fall under the legitimate interests of all parties, including the event organiser. For example, the event organiser will want their exhibitors to gain leads and visitors to find relevant and useful exhibitors, both resulting in a successful event.
There are additional benefits of electronic lead capture such as the data containing what show it was recorded at and the date/time of when the scan was made for your audit trail.
If you use our Two Way Lead Recording service it also shows the visitor which exhibitors scanned their badge for further transparency.
The GDPR is not out to stop sensible data capture. One of the seven key principles is lawfulness, fairness and transparency; it is our opinion scanners and scanner apps help achieve this rather than hinder it.
It does mean those exhibitors who try and skulk directly behind the entrance and mass scan every visitors badge without any explanation are breaking the law even more than they were already…
To note – the views expressed here are not those of a lawyer or privacy officer but simply someone who has read far too much about GDPR!