Experts weigh in on GDPR visitor sign-in books: Paper vs digital
They say you should never forget where you came from. I believe this to be especially true for organizations moving from the traditional paper visitor sign-in book to a more GDPR-compliant visitor sign-in via a cloud-based visitor management system.
Since I get to have some pretty frank conversations with the actual people who led this change management in their respective companies, I’m able to ask them directly what they were using before deciding to go digital.
More often than not, the answer is a sheepish whisper — paper. The person on the other end of the call always sounds embarrassed when they're actually the heroes leading the change, in my book.
We all have to start from somewhere, right? That's the whole point of innovation and digital transformation.
Paper visitor books at the front desk were the norm for a very long time. They used to cut it as far as operations and finance were concerned. But they don’t anymore.
That’s because GDPR and visitor management go hand-in-hand when it comes to guest data privacy.
We all now live in a GDPR world
Long before the General Data Protection Regulation (GDPR) was passed, many of us had grown tired of signing in using pen and paper—and this upon arrival at some of the most modern lobbies around the world. However, for the most part, we turned a blind eye to it, attributing it to the pains of doing business.
Only after GDPR came into effect did everything become clearer.
The act of managing visitors to your office involves data collection. So, by default, your visitor management process will come under scrutiny during an audit.
Furthermore, because GDPR operates "tech neutrality," your paper visitor sign-in book will be one of the first things to get inspected during such audits.
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing. — GDPR Recital 15, General Data Protection Regulation
So whether your paper sign-in sheet is printed on the finest silk, bound in leather and gold, or simply attached to an old-school clipboard, it's fair game as far as GDPR is concerned.
We asked two GDPR experts, Karen Cheeseman and Danko Pigac, to share their opinion on the paper visitor logbook.
They were generous enough to share their takes on GDPR compliance when it comes to paper sign-ins.
What are the GDPR pitfalls for businesses still using a visitor sign-in book?
The GDPR puts in place general principles to be respected in processing personal data.
As such, there are fundamental implications for a pen and paper visitor management process.
GDPR Principle: Integrity and Confidentiality
Article 5.1(f) of GDPR states explicitly that personal data shall be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Takeaway: One of the most obvious disadvantages to using a paper visitor registry is that the data is out in the open for everyone to see.
It could be said that a paper-based system is difficult to manage, time-consuming, and may not provide the ideal level of security. Anyone can read the logbook. The organization should ensure that the names of those who have previously signed in are not visible to the next individual. — K. Cheeseman
Having seen countless paper visitor logbooks on counters in corporate lobbies across the globe during his career, Mr. Pigac agrees.
Unfortunately, the paper logbook has quite some disadvantages in the face of GDPR. First of all, the book is usually very visible to visitors and in that way, it offers all personal data in plain sight.— D. Pigac
As a matter of fact, we commissioned a survey of 2,000 business professionals in 2018 and asked them about their front desk experiences.This report included questions specific to paper visitor sign-in sheets.
Their honesty proved to be eye-opening indeed.
If 6 out of 10 of us confess to peeking at the personal data of visitors who signed in before us, then isn't that a direct threat to the GDPR principle of integrity and confidentiality?
But there's a second part to this equation that doesn't add up — what actually happens to the visitor logbooks?
But there's a second part to this equation that doesn't add up. The question of what actually happens to the visitor logbooks?
Nobody knows for sure what happens to the book once it is filled out to the last page and it’s not hard to imagine it's simply put in the ‘old paper’ bin with the other various paper records and disposed of publicly — D. Pigac
It's scary to imagine pages of personal data sitting in a dumpster somewhere.
Not to mention how costly that could be.
According to a recent report published by the global law firm DLA Piper, the GDPR enforcement actions taken by major European regulators have resulted in a whopping €272.5 million so far. That is almost 5 times the amount registered by the first anniversary of the GDPR in 2019 (€56 million).
Moreover, this shows that the crisis generated by the pandemic last year did little to stop regulators from punishing companies failing to comply, which is not surprising considering the new set of COVID-19-related information requested from visitors when checking in.
GDPR Principle: Data minimization
Article 5.1(c) of GDPR states that personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Takeaway: You should only be collecting visitor data that is needed to achieve its intended purpose.
As an organization, you need to be sure of why you are asking for the personal data in the first place.
Is it simply a way of knowing who is in the building at a given time or is the organization storing and using that information to use for another purpose? Such as marketing or profiling? As an organization you are accountable for the data that you hold. — K. Cheeseman
To put it plainly, the vast majority of the office workers we surveyed in 2018 were uncomfortable with the level of personal required of them in a visitor signing-in book.
The COVID-19 outbreak made matters even more complicated, with companies worldwide having to process individuals’ health data in order to protect their employees and visitors from the risk of infection.
This left organizations wondering what health-related questions they can ask individuals without breaching GDPR’s commandments.
Is it impossible to find a GDPR visitor sign-in book?
If you really insist on sticking with pen and paper, then you do still have options.
The "Confidential visitor sign-in sheets"
It is indeed possible to purchase such notebooks as the one pictured above to use for your visitor book.
The idea is that your visitor writes their name across the "black bars" (similar to the antiquated credit card machines that once produced carbon copies for us). Thus, the next visitor can't see the name of the person who checked in before them. Chances are neither can you because the names might prove illegible.
Speaking from experience, I can tell you that writing on top of those black bars is like writing in the dark. You can't see what or where you're writing.
And your company will still be left exposed to other areas of GDPR!
The "Peel off label system"
The creativity of front desk heroes out there is to be commended for this one.
To combat the problem of confidentiality, many receptionists utilize pre-printed labels that visitors fill in upon arrival. Once completed, the labels are then peeled off and stuck elsewhere.
The main question is where.
It's therefore easy to see that there are holes in this confidential visitor sign-in book solution as well.
Verdict: the digital visitor sign-in wins
To strike the perfect balance between providing a warm corporate welcome and remaining GDPR compliant, businesses today need a GDPR-focused visitor management system with checks and balances in place.
At Proxyclick, we're committed to helping you ensure the longevity of your business with the GDPR-related features you need.
We try to make it as easy as possible for you to transition from a paper visitor logbook to GDPR-compliant visitor management, allowing organizations to:
- Customize flows and paths in your visitor journey and safely collect only the data that’s relevant to the purpose of each visit.
- Take control of data retention and deletion and hold yourself accountable for the sensitive data you’re handling after the visitors have left.
- Give granular access privileges for visitor data to people in your company on a need-to-know basis.
If you want to find out more about how you can implement a GDPR-friendly visitor check-in, take a look at the following resources:
- GDPR compliance checklist for your visitor management system
- How your visitor management system can help you avoid GDPR fines
- How to implement a touchless check-in experience
- Top 5 ways QR code sign-in systems can support your business right now
Learn more about how Proxyclick handles data privacy by booking a call with one of our experts today.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.