Exhibiting &
Event Topics
EXHIBITOR
Magazine
Find It
Marketplace
EXHIBITOR
LIVE
EXHIBITOR
Education Week
EXHIBITOR
eTrak
CTSM
Certification
EXHIBITOR
Insight
EXHIBITOR
Awards
News
Network
Advertise
With Us

March 2020
Table of Contents
EXHIBITOR Q & A
Sponsoring Versus Hosting
Should we host our own hospitality event or sponsor something already organized by the show?
Small Booths
How can I improve my chances of getting an appreciable return from a small booth?
ASK DAN
Asking for a Raise
How do I ask my boss for a well-deserved pay hike?
EXHIBITING 101
Five Tips for New Builds
Here are important - but often overlooked - items to consider when planning a new exhibit.
AMMUNITION
Ideas That Work
Hold the Phone, Auto Focus, Comfort Food, and more.
FIXING SNAFUS
Taking a Seat
What the boss wants, the boss gets. It didn't matter that it was never a part of our original plan.
VENUES
Washington State Convention Center
The Washington State Convention Center in Seattle stands in the heart of the Emerald City.
PORTFOLIO
Presentation Stations
Six examples of theaters that not only drew a crowd but also made a positive, on-brand impression in the process.
QUIZ
Weight a Minute
Try to guess the weight of these booths that, despite being light on the scales, left a heavy impact on attendees.
PHOTO GALLERY
Self Service
National Oilwell Varco Inc. built a booth designed to appeal to clients, prospects, and VIPs on a personal level.
ARCHIVE
By Land and by Sea
1904: An early form of augmented reality with a simulated voyage to Paris debuts at the Louisiana Purchase Exposition.
CASE STUDY
Gatorade Drinks Outside the Box
The Gatorade Company appeals to athletic influencers via a mix of gamification and education.
MANAGEMENT
Myth Buster
EXHIBITOR debunks six common misconceptions held by exhibit-marketing newbies.
INTERNATIONAL
A Quick Guide to General Data Protection Regulation
We sifted through the 88 pages of GDPR regulations to find the parts that pertain most to exhibitors.
PORTFOLIO
Belly Up!
Here are six examples of in-exhibit hospitality bars that offer form, function, and style straight up.
INSIGHT
Game Changer
Author Jim Gilmore predicts what the future holds for experiential marketing.
GLOBAL
International Exhibiting Guide: Paris
The least you need to know about exhibiting in Paris
International Exhibiting Guide: Abu Dhabi
The least you need to know about exhibiting in Abu Dhabi
International Exhibiting Guide: Buenos Aires
The least you need to know about exhibiting in Buenos Aires

Stay Informed
To be notified of new content from Exhibitor Magazine, please enter your e-mail address:
international
 
In effect since May 2018, Europe's General Data Protection Regulation (GDPR) is a sweeping change in privacy safeguards that focuses on how businesses gather and maintain the personal data of customers and prospects, with potential fines as high as $22 million – or 4 percent of a company's annual global revenues – levied on noncompliant organizations. If your company exhibits in areas covered by GDPR or even captures information at a U.S. event from attendees protected by the law, GDPR can alter everything from how you procure leads to how you market to those customers – and how your organization handles data breaches. (On a related note, the new California Consumer Privacy Act will likely change how many exhibitors collect CA residents' data.) To help you better understand this timely topic, we sifted through the 88 pages of dense regulations to find the parts that pertain most to exhibitors. Here then are 11 Q&As so you can navigate GDPR ASAP without issuing an SOS. By Charles Pappas
Who's protected by GDPR?
GDPR extends to citizens of the European Free Trade Association (EFTA), which includes the 27-member European Union (EU) as well as the countries of Iceland, Liechtenstein, and Norway. (Switzerland, while a member of the EFTA, is not under GDPR protection but is currently revising its own privacy rules, which may ultimately mirror GDPR's provisions in their scope and stringency.) Note that while the United Kingdom has withdrawn from the EU, the country's own 2018 Data Protection Act contains many provisions similar to GDPR and offers comparable privacy safeguards.

What information does GDPR cover?
The privacy regulation extends to personal information, meaning the kind of data that can potentially identify a given individual, such as first names and surnames, email addresses, phone numbers, and photos.

What if my company collects EFTA citizens' information at a show here in the United States? Do we have to treat it as if we collected it in a country protected by GDPR?
Possibly. This is a gray area, but it would be wise to extend a similar vigilance in shielding EFTA citizens' data even if you record it at a show in Milwaukee instead of Milan. While the criteria are complex, a safe interpretation of them would be to treat the data the same way as if you had collected it while exhibiting in a country covered by GDPR. Some of the relevant standards exhibitors can use to decide if they should treat the data in this manner include whether your company routinely does business with people from that country and/or if your company has a website with information and pricing in that country's language and currency. Again, if you have any doubts, the best default action would be to guard the information as if you had collected it in a GDPR-protected country.

How does this change the way I should acquire attendees' information and permission?
When you collect information from those shielded by GDPR, you must also record their specific agreement for you to use that data. Moreover, exhibitors should probably employ electronic, rather than written, means (e.g., automated lead-management systems versus paper forms) to ensure consistency and privacy protections that analog methods might not offer to the same degree.

What should I tell attendees about how my company will be using their information?
You need to explain to them in a comprehensive yet understandable way how you will use the data you're collecting. For example, you must make clear that you plan to employ it for, say, advertisements, general mailings, or perhaps surveys and research. Whatever you use the information for, however, spell it out as precisely as possible to better secure their informed approval. A best practice here may be to offer separate checkboxes for each distinct projected application of their data so that there is as little ambiguity as possible about to what they are consenting.

How many times do I need to get attendees' permission to use their information?
At least twice. The first time would be the initial recording of their information when they come into the exhibit. The second time must occur within 30 days after that original encounter. Ideally, this second opt-in would consist of a follow-up email that allows you to thereby keep an accurate electronic paper trail of any interaction. A best practice in this regard would be explaining to them that they recently filled out a form in your booth at a specific location and time – for instance, at Mobile World Congress on Monday, Feb. 24, 2020. That communication should also remind them that you cannot use their information without them providing their express consent a second time. This message should again include an explanation of how their information will be used.

After I get attendees' consent to use their personal information the second time, am I ever required to obtain it again?
Yes, but only if you add to or alter the ways in which their information will be used. For example, if you indicated in the two previous mandatory contacts that you were using their data for internal research or an informative newsletter but later decided to send them advertisements for your products or services, you would have to connect with them again and explain that you are required to get their consent for this new use of their information.

Can I share their information with a third party?
Yes. However, you must disclose this during the mandatory opt-in stages along with any other intended uses for their information. If you decide to share the information with a third party after the customers' or prospects' first two opt-ins, then you must alert them of that as well and acquire their permission for such use prior to doing so. Note that at any time they can withdraw their consent to share their data with that third party. In that circumstance, these third parties must stop using the data and remove it if those customers or prospects request to have their information deleted.

Do I have to send customers or prospects their information if they ask for it?
Yes. Anyone whose data you've collected can at any time ask you to send it to them in a digital format so that they can see exactly what info you've collected.

Am I required to delete all of a customer's or prospect's information if he or she asks me to?
Yes. Your company is required to erase personal data (again, information that could identify individuals, such as first names and surnames, email addresses, phone numbers, and photos) if the owners of that data ask you to. There is, however, an important exception to this. Your company cannot erase records of any financial transactions involving individuals because such data would be necessary for future auditing or taxation purposes.

What happens if our computer system is hacked, thereby exposing the information we've collected from attendees?
Any such security breach, whether caused by hackers or by an internal accident, must be reported to those affected within 72 hours. For GDPR purposes, a breach is defined as any incident that leads to the accidental or unlawful loss, destruction, alteration, or even unauthorized disclosure of – or access to – an individual's personal data.

Private Parts
To avoid potentially hefty fines for violating General Data Protection Regulation guidelines, use this quick checklist to make sure you're following this strict privacy law as closely as possible.


Did I collect attendees' information using an electronic system that keeps their data secure?

Did I clearly explain how their personal information will be used?

Did I record their consent to use their personal information?

Did I get their consent again within 30 days to use that personal information?

Did I contact them again for their consent if my company changed how it plans to use their personal information?

Am I prepared to delete customers' personal information at their request?

Am I prepared to report any security breach of personal data to those affected within 72 hours?

Join the EXHIBITOR Community Search the Site
TOPICS
Measurement & Budgeting
Planning & Execution
Marketing & Promotion
Events & Venues
Personal & Career
Exhibits & Experiences
International Exhibiting
Resources for Rookies
Research & Resources
MAGAZINE
Subscribe Today!
Renew Subscription
Update Address
Digital Downloads
Newsletters
Advertise
FIND IT
Exhibit & Display Producers
Products & Services
All Companies
Get Listed
EXHIBITORLIVE
Sessions
Certification
Exhibit Hall
Exhibit at the Show
Registration
ETRAK
Sessions
Certification
F.A.Q.
Registration
EDUCATION WEEK
Overview
Sessions
Hotel
Registration
CERTIFICATION
The Program
Steps to Certification
Faculty and Staff
Enroll in CTSM
Submit Quiz Answers
My CTSM
AWARDS
Sizzle Awards
Exhibit Design Awards
Portable/Modular Awards
Corporate Event Awards
Centers of Excellence
NEWS
Associations/Press
Awards
Company News
International
New Products
People
Shows & Events
Venues & Destinations
EXHIBITOR News
© Exhibitor Group | The Leader in Trade Show and Corporate Event Marketing Education PO Box 5996, Rochester, MN 55903-5996 | (507) 289-6556 | Need Help? Ask Scott