A question of scanning: Data sharing event style

Among the many different causes of anguish over the effects of the GDPR in the event industry* one of the biggest exists over the scanning of visitor badges for all manner of reasons including lead capture.
Despite what anyone thinks, whether they be lawyers or event organisers, this isn’t a linear issue. Debates over what constitutes compliant behaviour can quickly descend into frustrating ‘no compromise’ stand-offs as each party sticks to their selected position, a situation which adds nothing to the teams on the ground trying to do business.
In order to make this article as balanced as possible, I have sought out the advice of privacy experts, lawyers and the regulators/statutory authorities themselves. The opinions expressed are my own and I hope that they go some way to helping you create an appropriate strategy for your event.
Firstly, let’s look at what scanning is in the context of an event. Barcodes in the B2C sector have a singular use – to ensure that the entrant has a valid ticket to enter either the event as a whole or a certain area, or participate in a special event. For B2B the badge/barcode has multiple uses: to check who has entered the event; to record entry into different areas, such as seminar theatres; and to act as a virtual business card for lead retrieval by the exhibitors.
Starting with the latter. If you are of a certain vintage, you will remember when the greatest innovation in event technology was the arrival of the plastic badge wallet which you would stuff your business cards into. But you would always run out. So barcodes came along and marketers billed them as a convenient way to share details with exhibitors without the need for physical business cards. To understand further how embedded this is in the event environment now, it is worth looking at the German expo marketplace. In the late 90’s it was still not unusual for entry to B2B events at the large venues to be via anonymous tickets. Today the practice of barcoded badges on lanyards is ubiquitous here as well.
Right from the off then, visitors at B2B events should be in no doubt what the barcode on the badge is for. Not forgetting of course that a visitor is not forced to wear the badge, nor to have it scanned at any point other than entry. This suggests a system which is both accepted and expected by the data subject. An exhibitor cannot force a visitor to have their badge scanned, and those that engage in random ‘aisle surfing’ generally find themselves on the wrong side of the organiser or bemoaning the lack of response post event because they have targeted individuals who really aren’t interested in their products or services.
Post event, the organiser gives the exhibitor access to a data set consisting of those visitors who were voluntarily scanned by them. Responsibility for this data then becomes that of the exhibitor acting as the data controller.
That was the status quo. So what has changed post 25th May 2018, if anything?
Two out of three of the constituencies I have consulted said ‘nothing much’, a subset of the third said ‘everything’**. The big issue is consent: do you need it; is it valid; is it demonstrable. More fundamentally, does the sending of the data to the exhibitor constitute transfer, sharing or disclosure? And why does this matter?
If this is a transfer then it requires a clearly defined process because it is to a third party (article 13) and you are required to provide information about the recipients. In straightforward cases consent would work here (e.g. can I transfer your data to single company x or not), unless you are going to get your knickers in a twist about what constitutes consent. If you are adamant that the only way is via a mechanism where the proof can be whipped out and waved menacingly at someone then you are in for a lot of angst (and actually no one ever won any customer service points for being able to say ‘I’ve got the proof – so there’ to a customer). If you take the pragmatic view that an adult giving another adult their badge to scan is clear affirmative act then you will be sleeping much better at night. Ask a regulator and they will tell you that consent doesn’t need to be a tick box anyway and that voluntarily permitting your badge to be scanned is a pretty unambiguous and determined action on behalf of the data subject.
If we decide that this is sharing or disclosure, for further use as requested by the data subject then it could be argued that this is lawful in accordance with article 6(4) GDPR (not with consent but still lawful) or it would be lawful by being in the legitimate interests of all parties; these being the organiser, the exhibitor and the visitor. Remember what trade shows are for – the first two want to make money, the latter to save time and/or money or gain expertise which they get from the first two. A virtuous circle if ever there was one.
Let’s look again at the hard-line position that consent must be demonstrable (tick box), that it has to be collected at the point of registration (good luck on getting visitors to select and tick boxes next to every exhibitor at registration after completing 4 pages of demographics, not forgetting of course that exhibitors can be added right up until the doors open on day one). Add on to this that some individuals in the legal profession are adamant that this affirmative action cannot be over-written by the action of the delegate on the show floor (if you consider being scanned does not constitute demonstrable consent) then the event ecosystem of the last 20 years begins to seriously unravel and taking these actions under the guise of GDPR compliance represent a serious barrier to trade. Regulators across the EU are adamant that this can, and should, not be the case.
Where does this hard-line approach come from. It is the idea that the data set of visitors belongs to the organiser (they have forgotten that they are the curators already) and that any movement of this data which is out of their control represents a transfer which requires consent. The counter argument to this (given by a regulator) is that if the organiser considers that they must have absolute control of the data in this environment then they cannot allow the visitors to give the exhibitors business cards or write their details on paper either. Clearly this is ridiculous and unworkable – and in their words ‘so why the angst about an electronic means of transfer’. Also, if I was being particularly awkward, and I knew I had asked an exhibitor to send me information to the data I thought I had given them by allowing them to scan my badge and the organiser refused to share the data because I hadn’t ticked a relevant box somewhere between six months and three minutes ago, then I’m going to be asking why my right to data portability hasn’t been upheld. That’s the big fine box folks.
In defence of scanning – for GDPR there are some very clear benefits. The organiser can tell a visitor who their data has been shared with and in some cases the visitor can see this for themselves via an event app; they have sight of which exhibitors might be indulging in sharp practices and scanning in the aisles and can refuse to disclose the data; they can add contractual clauses that force exhibitors to consider data protection seriously. Take away the scanning and you remove these checks and balances.
If you have made it this far – well done for sticking with it. One last point to make.
I’m going to leave the last word to the regulators I have spoken to. They have emphasised that the key to all of this is transparency (not to be confused with consent). Tell the visitors what will happen if they permit an exhibitor to scan their badge. Tell them when they register. Tell them at the event. And tell the exhibitors to train their stand staff to be professional and diligent with those exciting little scanning machines.
Business (nearly) as usual.
* Remember, if you forget to pick up all the copies of your delegate list that’s careless, not criminal.
**prizes may be awarded if you can guess which one…