Do the New European Data Protection Regulations Spell the End of the Business Card?


Ok, the title of this blog sounds bizarre and extreme, but let’s think about it for a while. What are business cards used for?

As a marketing person (for a business to business product) you go to a trade show and talk to people about your product, and you come back with a pile of business cards from people you talked to. Once collected, you enter the information on the card into a database to include them on your next mailer, or pass them on to the lead management team.


Let’s look at that from the viewpoint of the new European General Data Protection Regulations (GDPR)

  1. Each individual who gave you a business card is a data subject:
    • ‘data subject’ means an identified natural person or a natural person
  2. The information on their business card was personal data:
    • ‘personal data’ means any information relating to a data subject;

In particular, the information on their business card is exactly the information needed to identify them, distinguish them from other people, and contact them.

The problem I see involves consent. The regulation says:

“Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”

If you collected a business card at a trade show and use that to send them an announcement of a new product release or webinar, was that the specific and explicit purpose for which they gave it to you? Perhaps they have a problem and they wanted you to help fix it; maybe they expected a direct phone call and not continual marketing notifications; or perhaps they just wanted to win the booth prize and are not interested in your products and services at all.

Legally, a bigger problem might be proving the intent for which the card was given. A business card only carries personal data; it does not carry the intent for which is was given or consent for all the possible ways in which the personal data can be used.

Taken to its logical conclusion, maybe we need to dump all of our business cards and stop collecting them. If they are not accompanied by a written document stating how the information can be used, then they are almost useless—at least from a marketing perspective.

Or maybe on the back of every business card should be written: “I give consent for this information to be used for the purpose of:

  1. _______________.
  2. _______________.
  3. _______________.

Possibly I’m reacting to shadows. People who give out business cards are clearly trying to promote rather than reduce other people contacting them. And one could assume that giving the business card is implied consent. If nobody ever complains about misuse of a business card then interpreting the applicability of regulations to them will be a moot point. But I can see it happening. If I gave my business card to “Joe” who was working for company “A” to help trouble-shoot a problem, and Joe moves to company “B” and starts calling to sell me completely different things I didn’t ask for or want, then I just might complain to somebody.

If you have a database of contacts, you might want to consider adding a field for “Consented to communication for the purpose of:” At least then you will have something to check before you reach out and evidence that your organization is trying to respect people’s privacy.

Leave a Reply