Attending an exhibition or trade show in the UK or European Union (EU) and dealing with citizens’ data requires strict adherence to General Data Protection Regulation (GDPR) or UK GDPR if in the UK. With many businesses looking to enhance the way they exhibit, and data capture at events becoming even more sophisticated, all data handling rules must be adhered to. The penalties can be severe and cause significant damage to the businesses that breach them.

Before we go any further we should clarify that the rules of UK GDPR and GDPR as set by the EU are fundamentally the same. So, where we refer to GDPR, we refer to the shared rules unless otherwise specified.

GDPR aims to protect citizens from privacy and data breaches. It’s worth mentioning that GDPR applies to all businesses processing the data of citizens resident to nations adhering to GDPR rules. So, even if you are an American or Asian business, you will still be required to comply with GDPR if you wish to handle the data of EU/UK citizens.

When did GDPR come into force?

GDPR came into force across the EU in 2016 but didn’t take effect until May 2018. For the UK, Brexit saw a gradual transition, meaning UK GDPR came into force on January 1st, 2021.

Who does GDPR apply to?

UK GDPR applies to UK companies that collect, store or process personal information of those living in the UK. It also applies to countries from outside of the UK that offer services or monitor the behaviours of UK citizens.

The EU GDPR is similar in that it does the same as the UK GDPR except it only applies to residents of EU nations.

You could find that you must adhere to multiple data laws if you are a UK company. Much depends on whether you are only handling data of UK citizens or that of EU citizens. To avoid possible penalties or confusion, you should look at where and how your business operates and then seek guidance from legal experts to ensure you tick all the boxes for your customer base.

What GDPR rules should I be following at an exhibition?

Here are the GDPR rules and best practices you must follow when collecting, processing, and storing data at a trade show or exhibition:

Lawful Basis for Processing

Before collecting personal data, ensure you have a lawful basis for doing so. The most common basis for processing data at trade shows could be consent (the individual has agreed to the processing of their personal data for one or more specific purposes), contract (processing is necessary for a contract you have with the individual), or legitimate interests (the processing is necessary for your legitimate interests or the legitimate interests of a third party).

Consent must be explicit

Consent must be given for the processing or storing of an individual’s data. Therefore, to allow people to understand that their data will be collected, you must:

  • Ensure that consent is freely given, specific, informed, and unambiguous.
  • Use clear and plain language when asking for consent.
  • Keep consent requests separate from other terms and conditions.
  • Allow individuals to easily withdraw consent at any time.
  • Have proof that consent for data collection was given.

Data minimisation

Collect only the data that is necessary for the purpose you have stated. Avoid the temptation to collect as much data as possible just because it might be useful in the future.

Transparency and Information

Be transparent about who you are, how you intend to use the personal data, how long it will be kept, and who it will be shared with. This information should be provided at the time the data is collected. If data is not collected directly from an individual, data controllers must provide a privacy notice to them within one month. This must be done the first time that communication is made with the person supplying data.

Data subject rights

Be prepared to uphold the rights of data subjects, including:

The right to access their personal data.

The right to have inaccuracies corrected.

The right to have their data erased.

The right to object to direct marketing and other forms of processing.

The right to data portability.

Data security

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Data breach notification

In the event of a data breach, you must notify the appropriate data protection authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk to those individuals, you must also inform them without undue delay.

International data transfers

If you intend to transfer personal data outside abroad, ensure that the destination country ensures an adequate level of protection or implement suitable safeguards such as standard contractual clauses.

Accountability and governance

Maintain records of your data processing activities and implement policies, procedures, and training that demonstrate compliance with GDPR. Consider appointing a Data Protection Officer (DPO) if your organization carries out large-scale processing of personal data.

Engage with data protection authorities

Familiarise yourself with the data protection authority in the member state where you are based or where your data subjects are located. Be prepared to engage with them and seek guidance if needed.

What are the penalties for GDPR breaches?

The fines for breaching the GDPR rules whether it be at the trade show or after can be vast. Current rules mean that if you infringe UK GDPR rules, you can be fined up to £17.5 million or 4% of your annual turnover. Whichever is greatest. It’s similar with an EU breach, the fine being up to €20 million or 4% of annual turnover, whichever is the greatest.

How will following GDPR benefit me at an exhibition or trade show?

Aside from helping you avoid the huge fine, following GDPR enhances your tradeshow presence and brand reputation. The business benefits of following GDPR allow you to:

  • Reduce the risk of data breaches. Keeping those leads and other contacts secure will hold you in good stead now and in the future.
  • Build customer trust. If a customer trusts you they are more likely to return.
  • Gain advantage over competitors. If you have robust data handling and data processing rules in place, You can collect more relevant data than the competitors who haven’t.
  • Improve brand reputation. Being seen to do things right and showing that you are compliant helps build your brand.

By following these GDPR rules and implementing best practices, you can ensure that your participation in trade shows respects individuals’ privacy rights and complies with data protection regulations.


At Starlight, many of our clients exhibit internationally as well as nationally meaning we need to be adaptable to all requirements at all times. Our expert team can assist with understanding event compliance, logistics and management both domestically and abroad. Our in-depth set of trade show guides provides a wealth of information.

Whether you require customised exhibition stands to promote your brand or a reconfigurable event stand that can serve multiple spaces, our team can help. We even provide a free exhibition stand design service to help you get the best look for your business.

Our exhibition project management team have all the knowledge of the specific rules and regulations of the international exhibition halls, to ensure you can turn up and be ready to go!

Whether you’re a first-time exhibitor abroad or plan multiple events globally, speak to our team about how we can help you save time and money for stress-free exhibiting.