Rosenblatt
  • About
    • Memery Crystal
    • Investors
  • Services

    Services

    Rosenblatt is a disputes powerhouse. Competitive in the best sense, our teams provide incisive specialist expertise and collaborate closely with one another to meet our clients’ needs across the full spectrum of their activities.

    • Dispute Resolution
    • Construction, Engineering and Energy
    • Corporate Investigations
    • Debt Recovery
    • DLT, Digital Assets, and Tokenisation
    • Financial Crime
    • Financial Services
    • Insolvency & Financial Restructuring
    • International Arbitration
    • Probate & Wills
    • Serious & General Crime
    • Tax
    • Non-Contentious & Advisory
  • Insight
  • Events
  • Group Litigation
    • Amazon Legal Action
    • Property Investment Scheme Claims
    • Apple Class Action
  • Contact

GDPR – what about business cards?

31st May 2018

Clock is ticking towards rollout of EU’s landscape-shifting data protection and privacy law.

Time and tide wait for no man. And nor does GDPR.

Business leaders take note: the countdown is almost over. On 25 May 2018 the much vaunted and much daunted General Data Protection Regulation (GDPR) will be rolled out across the European Union. It will shift the data protection and privacy landscape for any business that controls or processes personal data. In practice that means each and every business must get its data house in order.

We take a look at the main features of the EU’s brainchild and where an age-old business tool fits into it all: the business card.

So, what about business cards?

If at a networking event someone hands you their business card, it’s dangerous to assume they’ve given you their unqualified consent to process their personal data carte blanche. Equally, it’s probably not necessary to recite your privacy notice while they consume a mini pastry or sushi in a spoon. It is however reasonable for them to expect you to contact them – so you’ve probably got their consent, at least to make initial contact.

It may not be so simple to establish legitimate interest when it comes to making contact beyond that initial approach. The Information Commissioner’s Office has recommended a three-stage test to establishing legitimate interest before processing a subject’s data

1. What is the purpose of the data processing?

2. Is the data processing necessary to achieve that purpose?

3. Do the data subject’s individual interests override those of the legitimate interest?

We need to consider the likely intentions or expectations of the data subject when they hand over their business card. They probably expect to hear from you and may expect a follow-up email on the topics you discussed, but whether they want or expect to be added to your marketing database and receive promotional emails is another question entirely. It is prudent to seek specific consent for that purpose.

Ultimately, it is up to you as the data controller to consider whether the processing of personal data meets the criteria under GDPR.

Best practice when it comes to adhering to all aspects of GDPR is to give full and proper consideration to how you process personal data, and why. Your systems and policy for handling personal data cannot be too detailed or too thorough. It may be that an automated consent form is generated when any contact is added to your database. Alternatively your first email to that person could be tailored to ask them specifically to confirm their consent – but always give them the option to unsubscribe!

For more information on GDPR generally, keep reading.

What is GDPR?

GDPR replaces the outdated Data Protection Directive (introduced in the digitally-simpler days of 1995). In contrast to EU directives, national governments don’t need to enable GDPR, so it will be applicable in the United Kingdom (and across the EU) from day one.

GDPR is designed to tackle the challenges posed to data privacy that have evolved over the last two decades with the rise of increasingly complex and opaque data technology. It aims to give a greater degree of control to individuals over how their data is stored and processed. GDPR gives individuals (or “data subjects”) enhanced rights, such as the right to be informed about how their data is held, the right to restrict the processing of their data, or the right to be erased (or “forgotten”).

Above all however, GDPR introduces a new regime under which organisations are accountable for how they handle personal data. A key aspect of GDPR is the duty it places on businesses (and their data processors) to manage and monitor their own data management protocol in a fair and transparent manner.

It is no longer adequate to simply deal with data issues as they arise. In this new world order organisations must be able to demonstrate they have given proper consideration to how they will comply with the rules of GDPR. From 25 May 2018, every business should have a GDPR protocol in place – and if they don’t, the consequences could be very expensive.

Why does GDPR matter?

The GDPR regime has teeth.

The penalties for non-compliance with GDPR will be severe.  A breach of the rules may result in a fine of up to €10 million or, if greater, 2% of a company’s global turnover. That penalty could be imposed for failing to promptly notify the supervising authority (in the UK, the Information Commissioner’s Office) of a data breach, or neglecting to keep adequate data processing records.

In the case of a serious breach, such as processing individuals’ data without their consent, offenders could face a fine of €20 million or, if greater, 4% of their global turnover.

Does GDPR affect my business?

GDPR is almost certain to affect your business because personal data (whether it is that of a customer, an employee or a supplier) is so intrinsic in the way organisations conduct their business in the digital era, whether it is stored electronically or not.

GDPR applies to both “controllers” and “processors” of personal data. If your business is responsible for handling personal data on behalf of another organisation, it is likely to be a processor under GDPR. If your business is not a processor, the chances are it is a controller – meaning it determines the purpose, conditions and means of processing personal data. In some cases a business could be a controller and a processor.

However whether your business is a controller or a processor or both, it must comply with GDPR and have a lawful basis for processing personal data. If you are a controller, you must have a GDPR-compliant contract in place with all of your processors. If you are a processor, you also ought to consider protecting yourself by having a contract in place, as processors may now be accountable directly to data subjects.

What is “personal data”?

Personal data is any information from which a natural person can be directly or indirectly identified.

In the case of a business card, the personal data is pretty apparent – the data subject’s name, email, phone number and address, and any other information on the card which can be used to identify the person. The data subject can be directly identified by his or her name, but details such as a job title also allow indirect identification.

In other cases information which constitutes personal data may be less obvious, and could be anything from medical records to an IP address. As a rule, if a person can be identified through information, it is personal data as far as GDPR is concerned. It is clear that regulators will view the definition of personal data with a wide scope, so it would be prudent to have policies and procedures established to handle all forms of information.

How can we lawfully process personal data under GDPR?

GDPR sets out six bases upon which personal data can be lawfully processed:

  • Consent from the data subject to use their personal data for a specific purpose
  • A contract between the controller or processor and the data subject which makes the processing of their personal data necessary 
  • A legal obligation on the controller or processor which requires the personal data to be processed
  • It is in the vital interest of a data subject for their personal data to be processed
  • The processing of the personal data is necessary to perform a public task
  • It is in your legitimate interest (or that of a third party) to process the personal data (but this will not override the interests of the data subject).

In everyday business, most people would expect to rely on consent or legitimate interests, but even then it’s best to tread carefully. Speak to a data protection and privacy expert to create a bespoke plan to ensure your business is GDPR compliant.

Rosenblatt’s Commercial team advises on GDPR compliance and data protection policies in addition to its media/technology/IP expertise.

The content of this bulletin should not be construed as legal advice. If you do require legal advice, please contact a solicitor at Rosenblatt.

Post navigation

Rosenblatt Limited acts for Northern & Shell in a £100million merger of Emoov and Tepilo
MediaMonks and WPP- an Opportune Time to Revisit Restrictive Covenants

Categories

  • Articles
  • News
  • Videos

Topics

  • Banking & Finance
  • Competition & Regulatory
  • Corporate
  • Dispute Resolution
  • DLT, Cryptocurrencies and Crypto Assets
  • Employment
  • Financial Crime
  • Financial Services
  • Insolvency & Financial Restructuring
  • International Arbitration
  • Investigations
  • IP/Technology/Media
  • Real Estate
  • Tax
Rosenblatt
  • +44 (0) 20 7955 0880
  • info@rosenblatt-law.co.uk

Helpful Links

  • Anti-Modern Slavery Statement
  • Complaints Policy
  • Diversity & Equality
  • Interest
  • Pricing
  • Subscribe to our Mailing List

SRA No. 820215, authorised and regulated by the Solicitors Regulation Authority.

Ce Logo
Uk Top Tier Firm 2026

Rosenblatt is a trading name of RBG Legal Services Limited, a company registered in England and Wales (with company number 13287062) and which is authorised and regulated by the Solicitors Regulation Authority under SRA No. 820215. A list of the directors of RBG Legal Services Limited, together with a list of those persons who are designated as partners of Rosenblatt, is available for inspection at the registered office of the company at 165 Fleet Street, London EC4A 2DY.

Rosenblatt uses the word “partner” to refer to a senior employee or consultant. However, Rosenblatt is not a partnership and the use of the term “partner” does not create or imply a partnership amongst or between any of its employees or consultants.

© 2025 Rosenblatt

  • Privacy Policy
  • Cookie Policy
  • Terms & Conditions

Website by Brighter*IR

link

We are using cookies to give you the best experience on our website.

You can find out more about which cookies we are using or switch them off in .

Rosenblatt
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Performance cookies

These cookies allow us to count visits and traffic so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Cookie Policy

More information about our Cookie Policy.