Goldfish bowls, identity theft and data protection

You might win the latest bit of kit. Or dinner for two. Perhaps a weekend break or even a big holiday. Have you ever been to a show and dropped your business card into a goldfish bowl that’s sitting on one of the stands, usually next to one containing boiled sweets? Or have you added your card to those collecting at the bottom of a goldfish bowl on a café counter?

I say goldfish bowl, because that’s what it often is, although for a mere £12.95 you can buy a very professional-looking ‘acrylic business card bowl’ on Amazon (and can I just make it ‘clear’ that this is not an affiliate link so if you’re moved to click and purchase I won’t profit). Of course, it could be a box or a bowl or indeed a small bin, but if it’s a transparent receptacle (bear with me, here) that’s a strategic decision on the part of exhibitor or café-owner. It’s the same as tip jars. If you see someone else has tossed their coins in you’re more likely to do the same. No one likes to be the first and there’s safety in numbers.

But is there? A transparent receptacle means that any passing visitor or a customer ordering a cappucchino has access to your card. Fraud Risk Management Consultant and Chair of Fraud Women’s Network, Toni Sless, recently asked me to consider the implications of this in terms of identity theft. It hadn’t even occurred to me. Think about the information that’s on it. There’s your name, obviously, plus your job title, phone number, email address, employer’s address and if you happen to be self-employed that might even be your home address. It’s commonly held that a fraudster needs just three pieces of information to steal your identity: your name, address and date of birth. That information, or the information that will enable someone to dig up that information, is on your business card.

So there’s that, but what really got me thinking about the dangers of goldfish bowls, and the real point of this post, was GDPR. One of the central tenets of GDPR is active consent. When you chuck your card into a bowl, do you know how your data is going to be stored and handled? Are you really giving active consent and, if so, to what?

OK, when you entered a prize draw you knew it was a list-building exercise and, let’s be honest, in most instances you probably didn’t read the terms and conditions of the draw, even if there were any, but now GDPR is in play it feels as if the ante has been upped. If you give someone your business card, I think you can expect that they might get in touch to pass on some relevant information or follow up a conversation you were having, but are you giving them your express permission to send you direct marketing materials? I don’t think so.

When they take your card and slip it into their pocket, if they know they intend to use your details for direct marketing purposes, then they should tell you there and then. Yes, they can claim legitimate interest, but although emailing you might be in their legitimate interest, is it in yours? They certainly need to take care that they don’t infringe your privacy rights, but of course the same applies to you when you take your new contact’s card in return. And remember, the fines for breaching GDPR can be quite hefty.

It all seems rather tricky to me. Could this be the end of business cards as we know them? I hope not, because I have to confess I still get a bit of a kick when I see my name and the name of the company I founded on mine. But anyway, as you know I am a prize promotions specialist not a lawyer, so I thought I’d see whether the Information Commissioner’s Office has anything to say about business cards – and indeed it does, so here it is:

“The GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (for example, initials.lastname@company.com), the GDPR will apply. The GDPR only applies to loose business cards if you intend to file them or input the details into a computer system.”

OK, quite helpful, but you know what else are you going to do with a business card but file it or input the details on your computer? Guess you’ll just have to leave them gathering dust in the goldfish bowl then…

Sarah Burns is Prizeology’s Chief Prizeologist and a National Trading Standards Scams Team Scambassador. 

© Prizeology and The Prizeologist Blog, 2018. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited.

SHARE THIS ARTICLE:

FOUND THIS POST USEFUL?
YOU’LL LIKE THIS, TOO

Women’s World Cup promotions

Women’s World Cup promotions This year is World Cup year. However, I’m aware that there are World Cups in many sports so, to clarify, it’s a football World Cup year and, should further clarity b...

READ MORE >