The new procedure for exchanging business cards under GDPR


I tried out this new approach at the end of a meeting yesterday, to see how it felt to follow GDPR when I exchanged business cards with new contacts:

Me: Under GDPR I have to inform you of my intention to store your contact data in my electronic address book.

Them: Oh yes?

Me: My address book is stored and synchronised across multiple devices including some in the UK but also via cloud infrastructure that may mean your data leaves the EU in order to be synchronised.

Me: The address book is protected on my phone by a passcode and thumbprint, on my computers using a password, but I cannot account for any encryption whilst in transit via synchronisation services. The data on my two computers is encrypted and cannot be accessed if the physical hardware were dismantled.

Me: Access to my personal address book is primarily by myself, but may also be synchronised to other services (such as LinkedIn) for my convenience. Third party services are believed to be GDPR compliant but I cannot provide an exhaustive list of such services and their GDPR policies verbally.

Me: Whilst I believe access to my personal address book is secure, my software does not log access by me or other automated services, nor would I easily know if unauthorised access has taken place. For the purposes of GDPR, I am the controller, and services like iCloud, LinkedIn and others are processors.

Me: My purpose in storing your contact data is to make phone calls, send emails or messages to remain in contact with you. I do not intend to add your contact details to any marketing database, nor use your data for any other purpose than day-to-day interaction with you.

Me: If you consent to the above statements, please sign and date this form which sets out the ways your data will be stored and the purposes for which it will be used, for my records under GDPR.

Them: WTF – are you serious?

Me: I must also inform you that your data will be stored by me indefinitely, or until I decide your contact details are no longer useful to me.

Me: Additionally, you have rights under GDPR which I need to explain how you exercise them. For access to your data stored by me, to erase, correct or restrict, please email me and I will service your request.

Them: You cannot be serious.

Me: Under GDPR your contact data is sufficient to identify you as a living individual, and as I am collecting your data for professional rather than private purposes GDPR applies.

Them: Surely under GDPR holding each others contact details is lawful via Article 6(f) where the interests of both of us as controllers is more important than our own individual rights?

Me: Ahh, good point. That still doesn’t remove the need to provide service for your rights, and to explain the purposes to which I’ll use your data, but means I don’t need you to sign the consent form. As a firm with less than 250 employees we don’t need to keep records under Article 30 parts 1 and 2, which is a slight help.

Them: Thank goodness, lets get on with our lives.