Think back to the last business event you attended. You likely met new contacts and at some point may have said, “Here, drop me a line,” reaching into your pocket to produce your details embossed on a flashy, tactile card.
Could this casual staple of networking be thrown on the scrap-heap as we move towards GDPR and a new era of data protection?
The General Data Protection Regulation arrives on May 25th and will tighten business practices on how the information of EU citizens is obtained, stored and handled. More broadly, it will bring a new dimension to our care for the personal details of others, forcing the issue to its rightful place at the top of our collective conscience in our digital world.
It’s got executives thinking about how to adapt internal processes and protocols, but GDPR’s relevance extends beyond the edges of the website, database and office walls. Networking and conferences are all about data exchange too.
Consent for personal data to be used
Think about consent under GDPR. The Information Commissioner’s Office (ICO) says consent constitutes a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which [they], by statement or by clear affirmative action, signifies agreement to the processing of personal data”.
It has to be an obvious, positive action to opt in, spelling the end of pre-ticked boxes or inactivity being interpreted as consent, and separated from any terms and conditions.
Can these observances be applied in a fully compliant way to the exchange of a business card? If GDPR is to be implemented to its logical extent, then networking events are never going to be the same again.
The reality is that the new regulations are not yet focussed enough to provide clear guidance on the issue, but the parameters of consent are clear – handing over a business card cannot be considered sufficient as consent.
Consent in context
The ICO gives an example of an individual dropping their business card into a prize draw in a coffee shop. Under GDPR it would be an affirmative act, clearly indicating that the data subject agrees to their details being processed for the purposes of the prize draw. And that’s where the line is drawn in terms of the data’s usage.
But a conference environment? Put yourself in the data subject’s shoes – what would you expect to happen – what would you want to happen – as a result of you giving your business card to another? Should the card be held for a limited time so that a private and mutually beneficial business conversation can take place in the near future? Possibly. Do you expect your details to be stored on a database indefinitely so that you can be marketed to for years to come? Maybe not.
Either way, business cards can’t be documented. In the absence of precedent, or more direct guidance from the EC in terms of how GDPR applies in more relaxed scenarios, a better-safe-than-sorry approach is best as we approach the May 25th deadline.
Think about an immediate further communication with the owner of the business card, relaying why the data was taken and to obtain official consent for its usage.
If your intention is marketing, then is a business card really needed? You could channel marketing consent through a form on a tablet or mobile phone, so that the information you take in from events is clearly reasoned and attached to an opt-in mechanism.
This will give you the information you’re looking for in a compliant way that evidences that your adherence to GDPR standards.
The real benefits of GDPR compliance
Besides avoiding potential fines, compliance to the GDPR will produce more streamlined, healthier, and ultimately, more productive data at live events.
It may cramp the business card’s style, but this transparency is crucial to driving trust that will make for better, safer business in future.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/