GDPR is big news in the world of marketing, with a huge amount of scary (and frankly fairly boring!) legislation coming in to change the way personal data is used by companies.
We’ve digested the key details for you into this handy guide which looks at the implications of GDPR on trade show marketing, giving you some handy tips to keep your head above water when it comes into force.
1. What is the GDPR?
As of the 25th May 2018, the GDPR will come into effect across the European Economic Area, including in the UK despite Brexit.
This legislation is an update on the previous Data Protection Act, which has become outdated for the internet age.
The GDPR aims to protect personal data and prevent unsolicited marketing communications as well as leaks of personal data, all of which have become more prevalent in recent years.
2. How does this affect my business/organisation?
As mentioned above, the prime focus of the GDPR is to protect the data of the citizens of the European Economic Area (EEA). That means that any company, even international ones, that deal with consumers from either the EU, Iceland, Liechtenstein, Norway or the UK will have to comply with the new regulations.
For businesses looking to exhibit at trade shows in the UK or the EU, this means you will undoubtedly have to follow the GDPR guidelines for collecting and contacting attendees.
3. What are the penalties if I don’t comply?
I know what you’re thinking, another piece of unnecessary regulation coming in, who cares? Well, without trying to be too much of a scaremonger, the penalties for companies breaching GDPR regulation can be extremely severe.
The ICO, the UK body that regulates the GDPR can impose fines of up to €20 million, or 4% annual global turnover – whichever is higher. This level of fine would be after a serious infringement where the company hasn’t acted to follow the GDPR guidelines – so the better prepared you are, the more likely you are to never hear from the ICO and avoid a hefty fine.
4. How does this affect my trade show marketing?
The purpose of exhibiting at a trade show or exhibition is mainly to collect data from people interested in your goods or services.
The GDPR guidelines are very strict on what constitutes personal data, defining it as "any information relating to an identified or identifiable natural person (‘data subject’).” Following this definition then, information such as name, email address, phone number or images of the individual needs to be handled carefully..
You need to be extremely sensitive to how this data is gained, stored and actioned as outlined below:
Collecting & Using Customer Data
In the good old days (or bad depending on how you value your privacy), any exhibitor would be able to collect business cards via a prize draw or other means, go back to the office and upload the contacts to a CRM system to start sending out newsletters and other correspondence.
Not any more!
The new GDPR guidelines mean that you need to get explicit consent from the data subject on what form of communication they receive.
As an example of how seriously companies are taking this approach, British pub chain Wetherspoons recently deleted its entire customer email database as they couldn’t be certain that all their previously collected data would conform to the new GDPR guidelines.
Article 6 of the EU GDPR document ‘Lawfulness of processing’ says there are 6 reasons processing data is lawful, the two most relevant to trade shows being:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Using these GDPR regulations as a guideline, below are some examples of correct and incorrect use of data by the data controller (the company or organisation who holds the customer’s data):
Scenario 1: An attendee drops their business card in a bowl on your stand’s show as part of a competition on your stand.
You send the attendee an email with your latest offers. This contravenes (a) as no consent for marketing activity has been given.
You contact the attendee by phone/email to gather consent (a) for a specific range of products/services before you begin marketing to them.
Gain consent for marketing activity by either spoken consent or ticking a clearly marked consent box on a written or digital form which states exactly what the data subject will receive.
Scenario 2: Attendee Places Order at Trade Show
You send the user marketing material unrelated to their order, which hasn’t been consented to. This contravenes (a) as, whilst consent has been given to use the data for order processing, it cannot be used for marketing purposes.
You can contact the data subject as the processing is necessary for the contract for their goods/services (b) before sending them an opt-in email/call asking for their consent to specific line of marketing communication.
Consent needs to be tracked by your team in case it is ever challenged by the regulator. Create a field on your CRM system which shows how the consent was given (spoken, tick box etc.)
Storing Customer Data
Once you hold the attendee’s data from the trade show, you’ll need to ensure it is retained securely.
This is a comprehensive topic in its own right, with the ICO’s website providing more in-depth guidelines.
Some key points to consider for companies obtaining customer data from trades shows:
Personal data for any purpose shouldn’t be kept for longer than needed for that purpose. This should work in tandem with your company’s data retention policy which should be readily accessible by users.
Data subjects should be able to request all records and correspondence the company holds on them via a SAR (subject access request).
This data must not be passed on to third parties without the explicit consent of the data subject unless required to fulfil an order.
This data needs to be held securely ideally through encrypting electronically devices where it is stored. In the case of paper trade show lead enquiry forms, these should be securely destroyed once they have been uploaded to your database. A failure to store data securely which leads to a breach of personal data has to be reported to the ICO within 72 hours to prevent a €10 million or 2% of global turnover fine depending on which is greater.
The GDPR regulations will massively change how business collect, store and process personal data. It’s effect on trade show marketing will be substantial, so you need to analyse your marketing approach and adapt your processes accordingly.
As a general overview, make sure you get clear and specific consent at trade shows, avoid spammy marketing practices and spend time mapping out how, why and where your data is stored and used and you won’t have the dreaded knock on the door from the ICO.
Still panicking? Check out these 12 steps to take now to prepare for the GDPR.