With the one-year anniversary of the EU's General Data Protection Regulation (GDPR) just behind us, we know by now that GDPR applies to any personal data your business collects—including that of physical visitors to your office. This can include basic information like names and email addresses, to more probing details like car registration numbers and photos. Understandably, there are still lots of misconceptions around what it all means for GDPR and visitor management.
Let's take a look at the most common ones, and see if there's any truth to them.
Myth 1: GDPR and visitor management don't apply to paper
Fact: GDPR is technology neutral
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing.
— GDPR Recital 15, General Data Protection Regulation
This means that your paper trails can easily fall under the scope of GDPR.
If your company is still using a paper logbook as a form of GDPR visitor sign-in, then you should be aware of the possible pitfalls and risks you're exposed to.
Any kind of processing of a structured and consistent set of personal data falls under the scope of GDPR. So whether the data collection and processing is done digitally or via pen and paper, it does not matter.
Are you ready to be held accountable for your paper visitor sign-in sheet?
Myth 2: You can easily achieve a GDPR-compliant visitor logbook
Fact: It’s possible, but not easy by any means
This is because GDPR lays out a set of general principles to be followed.
Achieving fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality is technically possible. It's also a risk to take on manually. We're all human, and as such there's always a margin of human error.
Even the alleged "discreet sheets" you find on the market are not fool-proof.
You may address one are for improvement, but other areas—accuracy and storage limitation—fall short and leave you open to risk during a potential audit.
Thus, you'd be must more rest assured depending on a digital visitor management system like Proxyclick.
Myth 3: Visitors must always give explicit consent
Fact: Explicit consent does not apply to (all of) your visitor data
The concept of consent is one of the main pillars of GDPR.
"...any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent as a legal basis can be withdrawn by the individual at any time. Therefore, it is often advisable to investigate whether other legal bases are possible."
However, GDPR consent isn't some modern-day "bogeyman" coming to get us.
The regulation actually recognizes that there are cases when explicit consent is not needed:
In the event of contractual necessity - when personal data is processed on the basis that it constitutes a legal obligation
In the matter of vital/public interests - the cases where data processing directly affects a “life or death” scenario of the data subject and where it’s required for the normal functioning of an institution serving public interest, respectively
In the matter of legitimate interests - this means that processing the data without explicit consent is possible insofar it represents a legitimate interest of the controller without overriding the rights or freedoms of the data subjects at hand
A solid visitor management system allows for a range of scenarios including the ability to capture digital signatures on NDAs other other agreement. In fact, we've created sample clauses in 22 langues (about consent for your NDAs).
But we advise you to consult your legal counsel to accurately assess each situation in which explicit consent might not be necessary.
A good basis to start that conversation could be our white paper on GDPR-compliant visitor management—Checking into data privacy. It includes an overview of GDPR basics and helpful checklists provided by Cromwell & Moring LLP.
Myth 4: It’s enough to just delete the data from time to time
Fact: Implementing the "right to be forgotten" goes beyond just deleting data
This means that your organization needs to be on top of your data retention period. You cannot store data for longer than necessary.
When it comes to visitor management, you'll need software that adapts to your needs.
Being able to automatically delete the visit details is as priceless as a good night's sleep knowing you're not breaking any laws.
An example of Proxyclick's automatic deletion feature
Myth 5: A data processing agreement (DPA) isn't necessary
Fact: Your reception and any subcontracted security staff are considered the data processors
Your company may be one of many tenants in a multi-tenant building. Or you may be using a third-party firm to handle your office building security. In either scenario, there are still three "players" in the eyes of GDPR.
Your visitor is theDataSubject
Your company is theData Controller
Any 3rd party processing the data is theDataProcessor
It's important to know who the "players" are when it comes to GDPR and visitor management, whether you're using a paper or cloud-based visitor management solution.
This is where the DPA comes in. A formal agreement must be in place denoting the rights and obligations around data collection and processing from both parties.
At Proxyclick, we're in the business of helping organizations of all sizes in putting in place seamless and secure access to their workplaces. This includes a commitment to data privacy and providing GDPR-related features you need.
In addition, there's a webinar replay always available on howGDPR affects visitor management.
If all else fails and you'd like tailored advice on how you cam become GDPR-compliant in your visitor management, then please contact us so that we can continue this conversation with you personally.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.
Editor's Note: This post was originally published in March 2018 and has been updated for accuracy and comprehensiveness.