The GDPR compliance checklist for your visitor management system

Picture of Jun Song

Added on by

Reception check-in.jpg

GDPR is the game-changing European Union regulation that came into effect in May 2018. Having a GDPR compliance checklist is a great first step for your organization. But your current visitor management system is still exposed to the relatively "new" General Data Protection Regulation.

How confident are you in the way you handle visitor management?

Imagine your auditor arriving to assess your company's GDPR compliance. If your visitor check-in app is not fully compliant, then they'll see the red flags immediately.

A summary of GDPR's key points:

GDPR's core principles have been laid out in full already, but here are some of more relevant points for your business:
  • It aims to strengthen the rights of individuals around the processing of their personal data, while ensuring the free flow of data in the EU digital market
  • It builds on an existing legislation, but also amps up the role of several concepts such as consent, deletion period, etc.
  • It applies to any organization based in the EU but also non-EU organizations who collect and process personal data of EU citizens aka the "data subjects."
  • It slaps hefty fines of up to 4% of annual turnover on organizations that fail to comply.

Because of such implications, in May 2018 alone, "GDPR" searches surpassed the Google search volumes of Beyoncé and Kim Kardashian.

In fact, the search volume was just about equal to the other two celebrity searches combined!

google-search-volumes-gdpr-compliance-checklistTrue story.

But all jokes aside, the European Commission does report additional findings in their January 2019 report: GDPR in Numbers.

The overwhelming consensus is that preparation is key. So we've put together a 6-point checklist as a part of the bigger picture when it comes to GDPR and visitor management.

Here are the questions you need to ask:

1. How do we collect personal data from our visitors?

Both GDPR and visitor management need to be addressed wholly as an organization. As such, it's important to take a step back and assess how your business plans to collect and manage the personal data of your visitors.

This is because of the real-life nuances of data privacy regulations. GDPR operates under the premise of technology neutrality:

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing...

 

— GDPR Recital 15, General Data Protection Regulation

This means that the rules applying to digital visitor management systems may also apply to "GDPR and visitor books" you see sitting around on front desks all over the world.

Although it is possible to operate with a "GDPR sign-in sheet," industry experts have split down the middle as to the efficacy and ease of GDPR-compliance using a pen and paper visitor management system. 

What this means for your visitor management system:

Having a took that allows you to plan for and manage the data collection process reduces the margin of human error, and ensure consistency in the visitor experience. This is especially true for organizations operating in multiple locations must be especially careful. Having a tool that allows you to manage multiple fronts desks from one central interface takes the pain out of planning. 

2. What kind of visitor data can we collect?

This question is specific to data minimization: The act of collecting only personal data needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purpose. 

Article 5, 1(c) of GDPR stipulates:

“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

What this means for your visitor management system:

You can only collect data for required security protocol or to fulfill a business contract, etc. Your visitor management system should allow you to tailor the check-in process according to the types of visitors you welcome. In this way, you're sure that they're only asked for the information you absolutely need. 

Read more about how you can minimize data with Proxyclick.

3. How long can we store "visit details?"

This is also directly related to GDPR's principle of data minimization:

“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Really, it's in three parts:

  1. You should only be collecting data for specific purposes.
  2. You should only be holding onto the data for a limited period of time.
  3. There should be provisions for the "right to be forgotten."

The 3rd point is laid out clearly in Article 7(3) of GDPR:

“The data subject shall have the right to withdraw his or her consent at any time.”

There is no hard and fast rule as to what your retention period must be. As we've mentioned before, GDPR-compliant visitor management is a process that your organization must decide on together.

However, your visit details should fulfill the business requirements they were collected for in the first place. Define the retention period that applies to your context and then delete data accordingly.

What this means for your visitor management system:

One way to tackle the question of data retention and the ‘right to be forgotten’ is to be able to manually delete visits in your dashboard. Ideally, your visitor management system allows for this to be automated so you can specify the number of days for data retention. For organizations with multiple locations, Proxyclick also allows for location-specific settings for local flexibility in automatic visit deletion.

4. Do we always have to ask for consent when collecting visitor data? 

This question relates to GDPR's stance on legitimate interestsLegitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed. 

Long story short, consent is required for collecting visitor data (or data subjects at large).

However, there is an exception: You do not have to ask for consent in every single situation. The mechanism of so-called legitimate interests dictates that you have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company.  

What this means for your visitor management system:

Your visitor management solution should let you distinguish between a visitor profile versus visitor data implementation (data necessary to fulfill the interests of the company with more ephemeral data). In the case of an audit, you'll need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes (outside of the exceptions mentioned above). This can be achieved in two ways:

  1. by allowing your visitors to confirm that they've read the privacy policy, or
  2. by offering a toggle switch by which they consent to you storing their data in your visitor management system

Check out our free template containing a sample clause for consent (translations included in 22 languages)

5. Do we need to sign a Data Processing Agreement with our visitor management provider?

Absolutely. 

In plain English, your company is considered the "Data Controller" and by law,  responsible for determining the purposes and means for processing of personal data.

 

Article 28 of GDPR:

“The controller shall use only processors [vendors] providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.”

This is why it's vital to have a Data Processing Agreement (DPA) in place between you and the visitor management software provider aka the "Data Processor." 

See our Glossary of key terms relating to GDPR and visitor management.

What this means for your visitor management system:

Your VMS provider must provide assurances that they comply with the GDPR stipulations in all applicable aspects detailed in Article 28, as well as the related provisions of articles 32 to 36. This implies that you have a binding written agreement, a DPA, in place to ensure a strict level of safety and security of the personal data processed on your behalf.

Check out our free Data Processing Agreement template

6. Are we ready for our visitor management system to be audited?

If you've covered all the bases with the first steps, then you're prepared to show GDPR compliance relating to your visitor management.

The general principles of GDPR dictate that we must all be held accountable and be able to demonstrate compliance at a moment's notice.

What this means for your VMS:

Complete documentation is necessary to demonstrate GDPR-compliant visitor management. Technology alone doesn't guarantee anything. You have to make sure your visitor management system provides all the GDPR-related features you need to ensure the longevity of your business. A reliable provider will be able to work with you towards GDPR compliance visitor management.

We'd be happy to talk to you about it personally!

Additional resources

We understand that becoming compliant with GDPR is a process that gets exponentially more time-consuming if you work with multiple vendors and data processing systems.

We'd like to ease the burden as much we can, so we have prepared a host of content around GDPR from the point of view of visitor management:

  • We invite you to have a look at our simple guide to GDPR and visitor management, where we've also laid out our own GDPR roadmap. 
  • In addition, there's a  webinar on GDPR and how it affects visitor management plus what you need to do to prepare. Watch the webinar replay now.
  • In partnership with Crowell & Moring, we've published a white paper, "Checking into data privacy," to help you achieve a GDPR-compliance front desk.

In conclusion

As for the team here at Proxyclick, every day is actually "GDPR Day" for us because data privacy is built into our DNA (including an update to our Terms & Conditions in regard to GDPR).

But we're eagerly awaiting the one-year anniversary of GDPR, maybe just as excitedly as we did last year when it was "born!"

In the meanwhile, we encourage you to contact us so that we can continue this conversation with you personally!

 

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.

***

Editor's Note: This post was originally published in November 2017 and has been updated for accuracy and comprehensiveness.

 


Like this article? Spread the word.

TweetShareShare