GDPR is the game-changing European Union regulation that came into effect in May 2018. Having a GDPR compliance checklist is a great first step for your organization. But your current visitor management system is still exposed to the relatively "new" General Data Protection Regulation.
How confident are you in the way you handle visitor management?
Imagine your auditor arriving to assess your company's GDPR compliance. If your visitor check-in app is not fully compliant, then they'll see the red flags immediately.
Because of such implications, in May 2018 alone, "GDPR" searches surpassed the Google search volumes of Beyoncé and Kim Kardashian.
In fact, the search volume was just about equal to the other two celebrity searches combined!
But all jokes aside, the European Commission does report additional findings in their January 2019 report: GDPR in Numbers.
The overwhelming consensus is that preparation is key. So we've put together a 6-point checklist as a part of the bigger picture when it comes to GDPR and visitor management.
Here are the questions you need to ask:
Both GDPR and visitor management need to be addressed wholly as an organization. As such, it's important to take a step back and assess how your business plans to collect and manage the personal data of your visitors.
This is because of the real-life nuances of data privacy regulations. GDPR operates under the premise of technology neutrality:
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing...
— GDPR Recital 15, General Data Protection Regulation
This means that the rules applying to digital visitor management systems may also apply to "GDPR and visitor books" you see sitting around on front desks all over the world.
Although it is possible to operate with a "GDPR sign-in sheet," industry experts have split down the middle as to the efficacy and ease of GDPR-compliance using a pen and paper visitor management system.
Having a tool that allows you to plan for and manage the data collection process reduces the margin of human error, and ensure consistency in the visitor experience. This is especially true for organizations operating in multiple locations must be especially careful. Having a tool that allows you to manage multiple fronts desks from one central interface takes the pain out of planning.
This question is specific to data minimization: The act of collecting only personal data needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purpose.
Article 5, 1(c) of GDPR stipulates:
“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
You can only collect data for required security protocol or to fulfill a business contract, etc. Your visitor management system should allow you to tailor the check-in process according to the types of visitors you welcome. In this way, you're sure that they're only asked for the information you absolutely need.
Read more about how you can minimize data with Proxyclick.
This is also directly related to GDPR's principle of data minimization:
“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Really, it's in three parts:
The 3rd point is laid out clearly in Article 7(3) of GDPR:
“The data subject shall have the right to withdraw his or her consent at any time.”
There is no hard and fast rule as to what your retention period must be. As we've mentioned before, GDPR-compliant visitor management is a process that your organization must decide on together.
However, your visit details should fulfill the business requirements they were collected for in the first place. Define the retention period that applies to your context and then delete data accordingly.
One way to tackle the question of data retention and the ‘right to be forgotten’ is to be able to manually delete visits in your dashboard. Ideally, your visitor management system allows for this to be automated so you can specify the number of days for data retention. For organizations with multiple locations, Proxyclick also allows for location-specific settings for local flexibility in automatic visit deletion.
This question relates to GDPR's stance on legitimate interests: Legitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed.
Long story short, consent is required for collecting visitor data (or data subjects at large).
However, there is an exception: You do not have to ask for consent in every single situation. The mechanism of so-called legitimate interests dictates that you have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company.
Your visitor management solution should let you distinguish between a visitor profile versus visitor data implementation (data necessary to fulfill the interests of the company with more ephemeral data). In the case of an audit, you'll need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes (outside of the exceptions mentioned above). This can be achieved in two ways:
Absolutely.
In plain English, your company is considered the "Data Controller" and by law, responsible for determining the purposes and means for processing of personal data.
Article 28 of GDPR:
“The controller shall use only processors [vendors] providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.”
This is why it's vital to have a Data Processing Agreement (DPA) in place between you and the visitor management software provider aka the "Data Processor."
See our Glossary of key terms relating to GDPR and visitor management.
Your VMS provider must provide assurances that they comply with the GDPR stipulations in all applicable aspects detailed in Article 28, as well as the related provisions of articles 32 to 36. This implies that you have a binding written agreement, a DPA, in place to ensure a strict level of safety and security of the personal data processed on your behalf.
Check out our free Data Processing Agreement template
If you've covered all the bases with the first steps, then you're prepared to show GDPR compliance relating to your visitor management.
The general principles of GDPR dictate that we must all be held accountable and be able to demonstrate compliance at a moment's notice.
Complete documentation is necessary to demonstrate GDPR-compliant visitor management. Technology alone doesn't guarantee anything. You have to make sure your visitor management system provides all the GDPR-related features you need to ensure the longevity of your business. A reliable provider will be able to work with you towards GDPR compliance visitor management.
We'd be happy to talk to you about it personally!
We understand that becoming compliant with GDPR is a process that gets exponentially more time-consuming if you work with multiple vendors and data processing systems.
We'd like to ease the burden as much we can, so we have prepared a host of content around GDPR from the point of view of visitor management:
As for the team here at Proxyclick, every day is actually "GDPR Day" for us because data privacy is built into our DNA (including an update to our Terms & Conditions in regard to GDPR).
But we're eagerly awaiting the one-year anniversary of GDPR, maybe just as excitedly as we did last year when it was "born!"
In the meanwhile, we encourage you to contact us so that we can continue this conversation with you personally!
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.
***
Editor's Note: This post was originally published in November 2017 and has been updated for accuracy and comprehensiveness.