Remember that time your inbox flooded with emails and ended up reading like a desperate ex? Yep, good old GDPR. Do you know we are nearly two years into this regime and still there are businesses who haven’t grasped the GDPR nettle – it’s too scary. Unfortunately, there’s no escaping it. It’s relevant whether you’re planning on operating a signup list or just whether you have a website, so we thought we’d give you the heads up on how it affects you over the fair weekend and beyond. We asked Heather of Stanford Gould Legal - the ‘legal fairy godmother to the wedding industry’ - where we stand!

Coming to exhibit? Here’s what you need to know about the information you collect…

You come to network, right? Collect cards and names? Possible customers? Possible suppliers? Investigate interesting quirky delivery from interesting quirky people, who you might not need or want daily, but you’ll hold on to that information, just in case…and, obviously, hopefully they’ll do the same with your cards and business info.

So what can you keep, what can you do with the stuff you collect? This information about your customers and contacts all counts as personal data (see here for that definition), even if it’s just an email address and a telephone number. You may also hold special category personal data (see link for that definition) if you hold information about your customer’s sexual orientation or disability needs, for example. How is best kept and recorded? How do you ensure that you use it compliantly and within the limits of GDPR?

There are 6 bases for lawfully processing personal data and the three most relevant for you are:

1. If you have a contract to deliver goods and services – so this covers anyone contacting you to enquire about your products or services, you can legitimately process their personal data ( that means email them, call them, write to them…) and tell them what you have and what you do, and the price! Consent is not relevant here. If they ask about what you do, you can tell them. What you cannot do is then automatically add them to a database and start sending them all sorts of offers, newsletters and other sales info which us generic and not specifically requested – UNLESS they have given consent. Which leads us nicely into….

2. Consent – here’s the reason why that tsunami of emails appeared in your inbox in the last week of May 2018…. Consent must be freely given and active – that means someone must do something to show consent – it cannot be assumed or implied. Tick a box, sign a form, press a button – but show that they have actively agreed to receive your information and link this to the relevant page of your website by asking them to view the terms of your privacy policy at the point that they give that consent.

3. Legitimate business interest: the catch-all provision. As long as you can say that your processing was for a legitimate business interest, you can process the data when you are not yet selling goods or service to the client and you do not have clear consent. BUT you must be able to justify this if challenged. A good way to view this would be if you received a business card or a contact number whist at a network event and you followed this up with an email to introduce your business or a product – that’s probably justifiable as legitimate interest. Adding them to your database and sending them your regular monthly newsletter or special offers and discounts every time you have a sales push is definitely NOT legitimate interest. If you want to do that, your initial email needs to include an option for them to actively opt in to that receipt. If they don’t do this, you shouldn’t follow up. If you do, be prepared to have a very good reason to justify that action.

So, what’s your action list for the fair?

Before you attend

Is your website GDPR compliant? – Do you have a good privacy policy which is GDPR complaint and a ‘contact us’ page that allows the customer to opt in to receive information and offers from you with a clear consent box to tick (not pre populated….) to ensure that active and informed consent is given?

If you need help with this you could view our GDPR starter pack which includes template, privacy policy and a guide to help you.

Are your T and C’s up to date and do they include a clause about your obligations as a data controller and or data processor. (and do you even know what that means?!) Read on for help on that.

Do you use Mailchimp? That platform processes personal data out of the EU so your Privacy Policy needs to reflect this. You may use other platforms or IT services (a virtual PA for example?) based out of the EU and again this must be declared to your customers or website viewers in your Privacy Policy or Notice.

If you don’t have a website a shortened privacy statement in the footer of your email is advised. (Get in touch if you need some wording for this) This is how you tell people what you are doing with personal data if you have no website to drop a privacy policy onto.

At the event

How are you going to collect the data from these new customers/clients/contacts?

Collecting business cards, with telephone and email details?

Get them to sign a sheet which includes not only their contact details but a box to tick to opt in to receive your discounts, offers and emails or newsletters is ideal – can that work practically at the event you are going to? Can you offer an incentive to sign up? A prize draw? A discount code? Don’t make the prize too fabulous – you don’t want to be caught out by the Bribery Act, but a small gift or voucher is perfect, low value and an interesting relevant product.

Can you make this electronic? – Lots of exhibitors now use iPad and phones to get customers to part with their contact details – does this process include a clear consent box to tick or agree with options?

You will also need the evidence of the consent for later if there is a question about whether they gave that consent and how from the client or the ICO (the ‘data police’ for enforcement purposes…)

Be clear about what you are going to send them and perhaps how often this contact will be. It sets the expectations.

A NOTE FROM MOST CURIOUS: There’s a well-known scam that goes round every year, emailing our exhibitor list offering the “contact list of all attendees” to you. This is NOT REAL. We do send you a list of our attendees who agreed to have their emails passed on, but this will come from us, not a random account.

After the event

Once you get that box of cards or list of emails home – how do you follow them up? Social media invites – should all be covered by the GDPR and privacy policies of the various social media platforms so probably you are ok to do this, without any additional consent. But make it worthwhile – a connection just to have more followers who are entirely disinterested in your business is pointless.

A short email – ‘thanks for meeting with us .. here’s our site, please sign up for your offers/news etc’ could be easily classed a legitimate business interest – NOTE: this means 1 email – not 10, when the first 9 are ignored.….

If they do come back and seek your services, you have a basis for processing. If they come back and consent to be on your mailing list, add them to the database if you hear nothing more – no follow up is really acceptable unless you can show a legitimate interest – document this!! Have proof if you are challenged that you have thought it through.

When they buy from you!

Yay! If they become a client make sure you get T and C’s or a client contract to them to set out the contractual basis for delivering your goods and services to them. In your terms you should remind them of your privacy policy and the basis for processing and retaining their data is – get this added to your T and C’s now.

It’s called layering – telling the client at lots of different points in the customer experience what you are doing with their data and reminding them of the options. If you need help with your T and C’s try our templates…

Anyone who is on your data base legitimately - either having given a clear consent since May 2018 – or (…and this is important) who consented under the previous regime which required very little to evidence this agreement, can continue to receive your mail chimp or other emails or electronic communications and sales info. Please ensure there is a clear opt out or unsubscribe option for them, that is easy to use and doesn’t involve multiple tasks or clicks.

Any questions about GDPR, contracts or legal issues generally we would be happy to help. You can find us at

www.stanfordgould.co.uk | www.stanfordgouldonline.co.uk | Facebook | Twitter | LinkedIn

Having worked in the wedding sector in recent years, with every possible sort of service provider from DJs to florists, wedding coordinators to venue stylists, I have been called ‘the legal fairy godmother to the wedding industry’.

I usually provide bespoke legal and contractual advice and services to wedding professionals and other small businesses through our sister company Stanford Gould limited. Stanford Gould Online was born from a wish to provide a simple, cost effective ‘first port of call’ to new and start-up businesses requiring terms and conditions to start operating as professionally as possible.

Qualifying as a solicitor in 1992, I spent the next 20 years working in private practice, local government and legal recruitment. Having also run a law firm as Managing Partner and been Operations & Business Manager within an SME, this combined experience means I have first-hand knowledge of the various demands and pressures of running a business.

I now run my own micro businesses from my home office with all the pressures, joys and challenges that working solo can bring.

I also indulge myself with my husband and two teenagers, a personal trainer, an active participation in singing and pottery, with a love of funk and soul music and great food and drink. We have a busy household!