Experts weigh in on GDPR visitor sign-in: Paper vs digital
They say you should never forget where you came from. I believe this to be especially true for organizations moving from the old paper sign-in sheet to a more GDPR visitor sign-in— via a cloud-based visitor management system. Why?
Because, from time to time, I get to have some pretty frank conversations with the actual people who led this change management in their respective companies.
"What were you using before you decided to go digital?" It's a question I ask of everyone.
More often than not, the answer is a sheepish whisper: paper.
The person on the other end of the call always sounds embarrassed when they're actually the heroes leading the charge, in my book. We all have to start from somewhere, right? That's the whole point of innovation and digital transformation.
Paper visitor books at the front desk were the norm for a very long time. They used to cut it as far as operations and finance were concerned.
But they don’t anymore.
That’s because GDPR and visitor management are no longer mutually exclusive.
We all now live in a GDPR world
Long before the General Data Protection Regulation (GDPR) was passed, many of us had grown tired of signing in using pen and paper—this, upon arrival at some of the most modern lobbies around the world. But for the most part we turned a blind eye to it, attributing it to the pains of doing business.
Only after GDPR came into effect did everything become clearer.
The act of managing visitors to your office involves data collection. So, by default, your visitor management process will come under scrutiny during an audit.
Furthermore, because GDPR operates "tech neutrality," your paper visitor sign-in book will be inspected during such audits.
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing.
— GDPR Recital 15, General Data Protection Regulation
So whether your paper sign-in sheet is printed on the finest silk, bound in leather and gold, or simply attached to an old-school clipboard, it's fair game as far as GDPR is concerned.
They were generous enough to share their takes on GDPR compliance when it comes to paper sign-ins.
What are the GDPR pitfalls for businesses still using a paper logbook?
The GDPR puts in place general principles to be respected in processing personal data.
As such, there are fundamental implications for a pen and paper visitor management process.
GDPR Principle: Integrity and Confidentiality
Article 5.1(f) of GDPR states explicitly that personal data shall be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Takeaway: One of the obvious disadvantages to using a paper visitor registry is the fact that it's out in the open for everyone to see.
It could be said that a paper based system is difficult to manage, time consuming, and may not provide the ideal level of security. Anyone can read the logbook. The organization should ensure that the names of those who have previously signed in are not visible to the next individual.
— K. Cheeseman
Mr. Pagic agrees.
He's seen countless paper logbooks sitting on counters in corporate lobbies across the globe during his career.
Unfortunately, the paper logbook has quite some disadvantages in the face of GDPR. First of all, the book is usually very visible to visitors and in that way, it offers all personal data in plain sight.
— D. Pagic
As a matter of fact, we commissioned a survey of 2,000 business professionals in 2018 and asked them about their front desk experiences. This included questions specific to paper visitor sign-in sheets.
Their honesty proved to be eye-opening indeed.
If 6 out of 10 of us confess to peeking at the personal data of visitors who signed in before us, then isn't that a direct threat to the GDPR principle of integrity and confidentiality?
Not to mention, human nature?
But there's a second part to this equation that doesn't add up. The question of what actually happens to the visitor logbooks?
Nobody knows for sure what happens to the book once it is filled out to the last page and it’s not hard to imagine it's simply put in the ‘old paper’ bin with the other various paper records and disposed of publicly.
It's scary to imagine pages of personal data sitting in a dumpster somewhere.
But it could also be costly.
According to the International Association of Privacy Professionals (IAAP), "GDPR enforcement actions" on businesses have resulted in a a whopping €56 million in fines so far.
Hopefully, that amount hasn't doubled by this time next year.
Businesses would do well to embrace GDPR and not make it the enemy. Behind each piece of personal data is a person, after all.
GDPR Principle: Data minimization
Article 5.1(c) of GDPR states that personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Takeaway: You should only be collecting visitor data that is needed to achieve its intended purpose.
As an organization, you need to be sure of why you are asking for the personal data in the first place.
Is it simply a way of knowing who is in the building at a given time or is the organisation storing and using that information to use for another purpose? Such as marketing or profiling? As an organisation you are accountable for the data that you hold.
— K. Cheeseman
To put it plainly, the vast majority of the office workers we surveyed were uncomfortable with the level of personal required of them.
You can download the whole report from Front Desk Experience Survey 2018, and see how much (if any) of the results you identify with. I know that I found myself nodding in agreement as I read the results.
Is it impossible to find a GDPR visitor sign-in book?
If you really insist on sticking with pen and paper, then you do still have options.
The "Confidential visitor sign-in sheet"
It is indeed possible to purchase such notebooks as the one pictured above, for hundreds of dollars each (closer to a thousand if you round up).
The idea is that your visitor writes their name across the "black bars" (similar to the antiquated credit card machines that once produced carbon copies for us). Then the next visitor can't see the name of the visitor who checked in before them. Chances are, neither can you because the names may not even be legible.
Speaking from experience, I can tell you that writing on top of those black bars is like writing in the dark. You can't actually see what or where you're writing.
And your company will still be left exposed to other areas of GDPR!
The "Peel off label system"
It's great. The creativity of front desk heroes out there is to be commended.
To combat the problem of confidentiality, many receptionists utilize pre-printed labels that visitors fill in upon arrival. Once completed, the labels are then peeled off and stuck elsewhere.
That's a good question.
It's easy to see that there are holes in this solution as well.
To strike the perfect balance between providing a warm corporate welcome and remaining GDPR compliant, businesses today need a GDPR-focused visitor management system with checks and balances in place.
At Proxyclick, we're committed to helping you ensure the longevity of your business with the GDPR-related features you need.
Living in a GDPR world isn't a fad, and it isn't a one-time event. So your company needs to be ready, willing, and able to demonstrate compliance at a moment's notice.
Whatever visitor management you have in place you need to be able to show that it is compliant with GDPR, so think about why you need the data, what you need it for and how you are processing and storing.
— K. Cheeseman
So how do you make sure you're only collecting data that's relevant to the purpose of each visit?
Well, we try to make it as easy as possible for you. Customizing flows and paths in your visitor journey can help you prove your due diligence when it comes to GDPR-compliant visitor management.
But how do you know you're handling that data the right way long after your visitor has left?
Thankfully, there are steps you can take to hold yourself accountable. You can start with a helpful GDPR compliance checklist for your visitor management system.
If you prefer, then we can also contact you directly about your data privacy needs.
In the meanwhile, we invite you to read our Simple guide to GDPR and visitor management, where we've also laid out our own GDPR roadmap.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.
Editor's Note: This post was originally published in January 2018 and has been updated for accuracy and comprehensiveness.