<img src="//bat.bing.com/action/0?ti=5439950&amp;Ver=2" height="0" width="0" style="display:none; visibility: hidden;">

Is your Visitor Management System GDPR-compliant? Find out with this checklist

Picture of Filip Galetic

Added on by

Reception check-in.jpg

Ensuring your operations are fully GDPR-compliant is not a small task. Perhaps the most visible part of your operations exposed to the new data privacy regulation is your visitor management system.

Imagine your auditor coming in to a meeting to discuss your GDPR compliance. If your visitor check-in app is not fully compliant, they will see it immediately and raise a red flag.

GDPR - the shorthand for General Data Protection Regulation - is a game-changing regulation adopted by the European Union that comes into effect in May 2018.

Here’s a summary of the most salient points about GDPR:

  • It aims to strengthen the rights of individuals re the processing of their personal data while ensuring free flow of data in the EU digital single market
  • Builds on the existing legislation, but also amps up the role of several concepts such as consent, deletion period, etc.
  • It also introduces hefty fines of up to 4% of annual turnover of organizations that fail to comply
  • It applies to any organization based in the EU but also any organization that processes data of EU customers (data subjects)

Because of all this, the new law has had compliance teams and their principals in overdrive: the ‘GDPR’ search term has seen incredible growth in the last several months alone according to Google Trends.


GDPR Google Trend.png


Despite that, recent surveys showed that 91% firms in the UK, Germany and France do not find themselves prepared for the coming of GDPR while an alarming 96% do not even know how to get started.

Timely preparation is key, so we put together an 7-point checklist that will help you check your existing visitor check-in system for compliance with GDPR.

Do you only collect client data that you absolutely need? (data minimization)

The Article 54 of GDPR provides:

“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

What this means for your VMS:

Any data you collect needs to pass the test of asking yourself whether there is a way to achieve the purpose without collecting the data. Even better, if you can tailor the check-in process to different profiles of visitors, you can ensure that you always only ask for the information you absolutely need. 

New call-to-action

When collecting your visitor data, do you ask their permission (consent) and explain how you will use it?

Para. 32 of the preamble and Article 4 (11) of GDRP:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of (...) agreement to processing of personal data.”

What this means for your VMS:

You need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes. Again, this can be achieved by allowing them to confirm reading the privacy policy, or by offering a toggle switch by which they allow you to store their data on your VMS.

If one of your visitors changes their mind and no longer wants you to keep their data, is this easy to undo?

Article 7 of GDPR:

“The data subject shall have the right to withdraw his or her consent at any time.”

What this means for your VMS:

Your organization needs to allow visitors to say at any point that they no longer want you to store their visit data and revoking consent to store their data should be as easy as giving it. You will find that the GDPR-compliant VMS offers this by way of a toggle that allows visitors to change their mind during their subsequent visit

Do you store visit details for no longer than what is needed?

Article 5 of GDPR:

“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

What this means for your VMS:

One way to tackle the question of data retention a.k.a. ‘right to be forgotten’ is to allow bulk selection and deletion of visits in the dashboard. A more elegant solution for this is automatic deletion after a specified number of days. Ideally, your VMS will either have this feature or be built to easily integrate it in near future.


New call-to-action

Did you sign a Data Processing Agreement?

Article 28 of GDPR:

“The controller shall use only processors [vendors] providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.”

What this means for your VMS:

Your VMS provider must provide assurances that they comply with the GDPR stipulations in all applicable aspects detailed in Article 28, as well as the related provisions of articles 32 to 36. In practice, this implies that you have a binding written agreement, also called a Data Processing Agreement (“DPA”) in place, ensuring a strict level of safety and security of the personal data processed on your behalf.

Did you appoint a Data Protection Officer?

Article 37 of GDPR:

“The processor and the controller shall designate a data protection officer [in specific circumstances].”

What this means for your VMS:

In case you or your visitor check-in system vendor have as their core activities processing operations which require regular and systematic monitoring of data subjects on a large scale, both you and your service provider/visitor check-in system vendor need to designate a DPO - Data Protection Officer. This is a person that has to carry out the tasks of informing and advising the company and its employees, monitor compliance with GDPR and other related laws, and act as a contact point with the supervisory authority in each Member state.

Do you know if your vendor has put in place a data breach notification plan?

Article 33 of GDPR:

“The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”

What this means for your VMS:

A reliable VMS provider will have fast, foolproof and clear notification system in case any of your visitors’ data is accessed unauthorizedly by a third party. As a controller you have limited time to notify the supervisory authority in this event, hence, the processor that is equipped to deal with this is an important part of the puzzle.

What are the next steps?

Becoming compliant with GDPR is a process that gets exponentially more time-consuming the more vendors you work with and data processing systems you’re using in your organization.

We'd like to ease the burden as much we can, so we have prepared a host of content around GDPR, especially from the point of view of visitor management. We invite you to have a look at our GDPR hub page where we've laid out our own GDPR roadmap and talk in detail about how we are making Proxyclick apps GDPR-compliant. 

GDPR is knocking at the door. Our webinar on GDPR, how it affects visitor management and what you need to do to prepare for it with the help of experts from Crowell & Moring will be back in September 2018.

Watch the webinar replay now

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.

Like this article? Spread the word.