Data drives the exhibitions industry.
We can all accept that data has been core to the development of today's exhibition industry. Whether that data is for visitors or exhibitors, it is the asset that can be mined to generate revenue. However, under the GDPR that will be enforced in May 2018, the exhibition industry's relationship with data will have to change.
We have touched upon the GDPR in other blogs and we have produced a guide to the GDPR for the events industry, downloadable here, but we haven't really looked at the effect it will have on how the industry works after May 2018.
In simple terms, practices will have to change. The rights of the individual whose data, either B2B or B2C, is collected for the purposes of sales and marketing have been expanded and strengthened. Those rights are explained in our blog “The 8 rights under the GDPR” but the way the data is collected and used has become clearer. When requesting data, there is a strict set of legal requirements in the GDPR that stipulate what has to be explained to the individual, why you are collecting the data, what it will be used for and how long the data will be kept. You also need to explain how the individual can ask to see that data, how they can amend that data and how they can have that data permanently deleted from you records. All of this needs to be presented to the individual when they are asked to fill out a form, submit information, etc. Simply providing personal information at the time of purchase does not imply permission for marketing of any other service or product than the one they bought.
You may see where this is leading. Someone buying a stand at a show has not given permission for any other marketing or sales to be directed at them by the simple act of ordering the stand. The data collected is purely for the purpose of providing the stand or space itself, and that data cannot be shared or used by anyone else for their marketing purposes without the individual’s express permission or it is a breach of the GDPR.
Raising a complaint against a company for misuse of data may elicit some eye watering fines and, in all likelihood, the Information Commissioner's Office (ICO) will target the larger organisations first. But the ICO must deal with all complaints made, so they will eventually get around to smaller breaches of the regulations.
Email marketing is likely to be one of the areas where it is easiest to breach the GDPR, from spam emails to those that are carefully targeted - unless evidence can be produced that permission has been granted by the recipient for the sending of the marketing email, it will breach the GDPR. Breaches can be reported to the ICO and they will be, when those who are receiving unwanted emails, become aware of the regulations themselves and their new rights.
The most alarming risk for anyone with a website, especially one that captures data online, is the privacy and data policies are required to be displayed in specific places on the website. Unlike other potential breaches, these can be reported by anyone and the ICO will easily be able to investigate. Reporting these breaches can even be done anonymously as individuals will argue that they should not have to submit data to a non-compliant organisation in order to complain about the lack of a compliant privacy policy.
It probably won't attract the huge fines applied for data breaches, it's more likely to be a lot of paperwork and a smaller fine that will dent the cash flow of many organisations. A £10,000 fine or an ICO investigation could cause just as much trouble for an SME as a €20,000,000 fine.
If this all sounds like doom and gloom, we have been working with Henry Herbert of specialist data protection consultancy Herbert and Ball, with whom we recently ran a well attended webinar for members of the Event Supplier & Services Association (ESSA). That webinar prompted a number of questions, from which we have developed an FAQ document.
Comments