The moment she said what she said, I groaned inwardly and thought “Oh my God”.

But what was the problem? What did she say? Where was I?

Are you sitting comfortably? Then I’ll begin…

A few weeks ago, I went to a hotel to attend a breakfast briefing session on the subject of ‘GDPR’. GDPR stands for the General Data Protection Regulations, a new set of EU Data Protection regulations all businesses have to comply with by 25 May next year (no, Brexit won’t get you out of having to comply). The talk was delivered by a consultant who covered the new restrictions on what you could and couldn’t do with people’s data.

Part way through her presentation, she looked up from her notes and addressed the audience directly. “If you all look in front of you”, she said “you should each have my business card”. Sure enough, each place setting had her business card, face up.

“If you now all turn over my cards”, she continued, “you will see I have signed and dated each one. That is my permission for you to record my contact details on your database.” – and yes, when I turned over her business card, there was her signature with the date next to it.

The moment she said what she said, I groaned inwardly and thought “Oh my God”.

Some businesses, she went on to say, were having their business cards reprinted. These new cards would contain a check-box that could be ticked to indicate the owner was happy to have his details recorded on file by the person he gave the card to.

The idea of going to a networking event or trade show and seeing people sign their business cards before handing them over to each other is ridiculous. And that’s because it is.

As part of GDPR you have to justify your reasons for processing data (which includes storing it too). GDPR comes with a set of pre-defined reasons that you can use, as follows;

  1. Consent of the data subject
  2. Creation or performance of a contract
  3. Compliance with a legal obligation
  4. Protecting the vital interests of a data subject or another person
  5. Performance of a task carried out in the public interest

Legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

[some amendments made to the above for clarity]

Although consent is clearly an important reason, item 6 refers to ‘legitimate interests pursued by the controller [the recipient of the business card]’. If you record business card details on to your contacts database for no other reason than to have a list of people you might call on for services in future (an electronic Filofax, if you will), that is a legitimate interest for which consent isn’t needed. I’d also be safe in saying that it would not be ‘overridden by the interests, rights or freedoms of the data subject’ as the remainder of item 6 states.

The worrying thing from this anecdote was that a number of people clearly bought into this with the usual tut-tutting about crazy Government regulation and a world gone mad. Understandably, when people attend events like this, the expectation is that the speaker knows more about the subject than you. Sadly, this is not always the case.

My advice? Read the regulations for yourself, think about the processes you go through in your businesses, make your own decisions on how GDPR will affect you and ask questions. You might find your workload is not as great as you think.

As for the rest of the event, the food was great and the company better. I met some great contacts in fields such as Local Government, Data Archiving, Financial Services and Construction and engaged in some lively debate about the regulations.

Yes, we did exchange business cards.

No, we didn’t sign them.

Tony Fleming is a freelance IT project manager. To understand more about GDPR, how he can help you make your business GDPR ready or support you with your project delivery, contact him at