Who's protected by GDPR?
GDPR extends to citizens of the European Free Trade Association (EFTA), which includes the 27-member European Union (EU) as well as the countries of Iceland, Liechtenstein, and Norway. (Switzerland, while a member of the EFTA, is not under GDPR protection but is currently revising its own privacy rules, which may ultimately mirror GDPR's provisions in their scope and stringency.) Note that while the United Kingdom has withdrawn from the EU, the country's own 2018 Data Protection Act contains many provisions similar to GDPR and offers comparable privacy safeguards.

What information does GDPR cover?
The privacy regulation extends to personal information, meaning the kind of data that can potentially identify a given individual, such as first names and surnames, email addresses, phone numbers, and photos.

What if my company collects EFTA citizens' information at a show here in the United States? Do we have to treat it as if we collected it in a country protected by GDPR?
Possibly. This is a gray area, but it would be wise to extend a similar vigilance in shielding EFTA citizens' data even if you record it at a show in Milwaukee instead of Milan. While the criteria are complex, a safe interpretation of them would be to treat the data the same way as if you had collected it while exhibiting in a country covered by GDPR. Some of the relevant standards exhibitors can use to decide if they should treat the data in this manner include whether your company routinely does business with people from that country and/or if your company has a website with information and pricing in that country's language and currency. Again, if you have any doubts, the best default action would be to guard the information as if you had collected it in a GDPR-protected country.

How does this change the way I should acquire attendees' information and permission?
When you collect information from those shielded by GDPR, you must also record their specific agreement for you to use that data. Moreover, exhibitors should probably employ electronic, rather than written, means (e.g., automated lead-management systems versus paper forms) to ensure consistency and privacy protections that analog methods might not offer to the same degree.

What should I tell attendees about how my company will be using their information?
You need to explain to them in a comprehensive yet understandable way how you will use the data you're collecting. For example, you must make clear that you plan to employ it for, say, advertisements, general mailings, or perhaps surveys and research. Whatever you use the information for, however, spell it out as precisely as possible to better secure their informed approval. A best practice here may be to offer separate checkboxes for each distinct projected application of their data so that there is as little ambiguity as possible about to what they are consenting.

How many times do I need to get attendees' permission to use their information?
At least twice. The first time would be the initial recording of their information when they come into the exhibit. The second time must occur within 30 days after that original encounter. Ideally, this second opt-in would consist of a follow-up email that allows you to thereby keep an accurate electronic paper trail of any interaction. A best practice in this regard would be explaining to them that they recently filled out a form in your booth at a specific location and time – for instance, at Mobile World Congress on Monday, Feb. 24, 2020. That communication should also remind them that you cannot use their information without them providing their express consent a second time. This message should again include an explanation of how their information will be used.

After I get attendees' consent to use their personal information the second time, am I ever required to obtain it again?
Yes, but only if you add to or alter the ways in which their information will be used. For example, if you indicated in the two previous mandatory contacts that you were using their data for internal research or an informative newsletter but later decided to send them advertisements for your products or services, you would have to connect with them again and explain that you are required to get their consent for this new use of their information.

Can I share their information with a third party?
Yes. However, you must disclose this during the mandatory opt-in stages along with any other intended uses for their information. If you decide to share the information with a third party after the customers' or prospects' first two opt-ins, then you must alert them of that as well and acquire their permission for such use prior to doing so. Note that at any time they can withdraw their consent to share their data with that third party. In that circumstance, these third parties must stop using the data and remove it if those customers or prospects request to have their information deleted.

Do I have to send customers or prospects their information if they ask for it?
Yes. Anyone whose data you've collected can at any time ask you to send it to them in a digital format so that they can see exactly what info you've collected.

Am I required to delete all of a customer's or prospect's information if he or she asks me to?
Yes. Your company is required to erase personal data (again, information that could identify individuals, such as first names and surnames, email addresses, phone numbers, and photos) if the owners of that data ask you to. There is, however, an important exception to this. Your company cannot erase records of any financial transactions involving individuals because such data would be necessary for future auditing or taxation purposes.

What happens if our computer system is hacked, thereby exposing the information we've collected from attendees?
Any such security breach, whether caused by hackers or by an internal accident, must be reported to those affected within 72 hours. For GDPR purposes, a breach is defined as any incident that leads to the accidental or unlawful loss, destruction, alteration, or even unauthorized disclosure of – or access to – an individual's personal data.