In addition to his duties as Executive Vice President of Sales & Business Development, Chris Eisenberg serves as Bartizan Connects’ in-house attorney specializing in Data Compliance. Chris advises companies on how to navigate the new data protection and privacy laws to ensure that they are compliant.
GDPR: A Trade Show Perspective
As most of you know from the countless reminders online, the GDPR is the focus of much concern in the trade show industry.
What is the GDPR and why is it relevant to you? The General Data Protection Regulation is a regulation in the EU law on data protection and privacy. The aim of the GDPR is to give more protection to an individual’s data in the digital age. In the trade show industry, the focus will be on the collection and processing of attendee data. And yes, even if you are a U.S. company, this regulation will likely affect you.
If you do business with a company based in the EU or would like to in the future, this regulation will directly affect you. And even if you don’t do business in the EU, if you do business with a company that does business in the EU, this will likely affect you as well.
The GDPR regulations can be broken down into two main categories: Privacy and Data Protection/Security.
The privacy section of the GDPR covers how a company who has legally obtained access to an individual’s data handles that information.
The data protection/security section of the GDPR covers how a company who has legally obtained access to an individual’s data protects that data from others.
To begin with, there must be a lawful basis for processing an individual’s data. It may be necessary to fulfill a contract, fulfill an obligation, other legitimate interests or consent.
Let’s look at consent for a moment. The GDPR states that the consent must be explicit for both the data being collected and the purposes the data will be used for. So, when an attendee registers for an event, the show producer must be explicit in what data is being collected and how it will be used and the attendee must explicitly consent. If the attendee does not explicitly consent they are deemed to have opted out of their data being collected. The attendee can also opt out at a later date.
The consent issue is a key one for Bartizan, as our lead retrieval and session tracking apps were created to capture an attendee’s data, with their consent, of course. So, this is something that we have worked closely with our show producers in the EU on. Here’s what we recommend:
- The attendee is told, during the registration process, that their data will be collected by exhibitors for the purpose of marketing/selling their product to the attendee. It may also be collected by the show producer to track sessions and award CEU/CME credits. The attendee must explicitly consent to this.
- If the attendee does not explicitly consent, they are assumed to have opted out. If they do not consent, the barcode on the badge will reflect this.
- Signage in the exhibit hall will remind attendee that if they allow their badges to be scanned, exhibitors will collect data.
- If the attendee allows their badge to be scanned by an exhibitor or to enter a session after being informed of what it is being used for, then this is the explicit and knowing consent that the GDPR requires.
An individual also has several other important privacy rights. They have the RIGHT OF ACCESS, which gives them access to their data and to see how it is being processed. They also have the RIGHT OF ERASURE, which allows them to request that their data be removed. If there is a data breach, the individual must be notified within 72 hours of the data breach.
Data Protection/ Security
THE GDPR speaks of Data Protection by Design and Default. Data protection should be designed into the business process, program or app so that the data protection is there by default.
In analyzing data protection, I find that article 32 of the GDPR is also very important to consider. Article 32 states, in part: "the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk." So, the level of security will be much greater for data that contains credit card numbers or social security numbers than it would for data that just contains name, email address and phone number.
So what is required? Encryption of the data would seem to be the very minimum required, with both the encryption key and the data in the control of the data owner only.
Beyond that, it will depend on a variety of factors, including the type of data, as discussed above, and how the data is being used. And, as hackers discover new ways of stealing data, new counter measures will be required by GDPR as well.
Securing attendee data will be a dynamic, evolving field and GDPR requirements will evolve as the technology evolves.
Perhaps as a way to help companies keep up with this, the GDPR also requires data governance to supervise the use and protection of the data within each company. This data governance can range from an internal Information Governance (IG) team to a dedicated Data Protection Officer whose sole job is to monitor the use and protection of the data.
The GDPR goes into law on May 25th. And even if you aren’t doing business in the EU, it’s very likely that similar laws will pass in the US eventually, as well they should as data protection and privacy of our data will remain important to all of us.