With only a little over two months before GDPR comes into effect, the time for organizations to prepare is running out quickly. We daily receive numerous requests for information around the topic from our prospects and customers.
This is why we have set up a monthly webinar centered around GDPR and visitor management, together with the experts of the Crowell & Moring Brussels office.
When it comes to GDPR and visitor management, we’ve noticed some misconceptions appearing again and again and wanted to tackle them in this article.
We look at 5 common myths about visitor management in light of GDPR and try to give an answer to the question: is there any truth in them?
Myth 1: GDPR doesn’t apply to paper
Fact: Paper OFTEN falls into the scope of GDPR
If your company is using a paper logbook, don’t be tricked into thinking you don’t need to comply with the obligations of the GDPR. This couldn’t be farther from the truth.
GDPR is technology-neutral; it doesn’t matter whether you record data of subjects via an app, a paper logbook form, or a napkin.
Any kind of processing of a structured and consistent set of personal data qualifies to fall under the scope of GDPR and that may include your company’s paper logbook.
The emphasis is on being structured and consistent - whether the collection and processing is done digitally or in an analogue fashion, does not matter.
So, no, unfortunately it’s not possible to “hide” from the GDPR by sticking to the paper logbook. In fact, you might be easily increasing your risk of non-compliance if you continue using it.
Myth 2: Making the logbook GDPR compliant is an easy task
Fact: It’s possible, but not easy
To make the paper logbook compliant, there’s a laundry list of requirements: the book needs to be stored safely, the data cannot be disclosed to third parties at any circumstance (except the receptionists), logbooks need to be destroyed (shredded) on a regular basis and without a possible way of stealing the data, it needs to be able to respond to GDPR requirements of getting explicit consent along with many other requirements,...
Achieving all this is technically possible, but like with most activities carried out manually, the risk of errors (and negligence) is high.
It’s important to not underestimate the jeopardy of “welcoming” GDPR with a paper logbook as the solution for storing and processing your visitors’ data. Going digital will save you a lot of headaches.
Myth 3: Explicit consent must always be given when visitors check in at your front desk
Fact: Explicit consent does not apply to (all of) your visitor data
The concept of consent is one of the pillars of GDPR and definitely one of its key innovations that is inspiring change for many organizations.
Even if GDPR lays a lot of stress on consent as one of the main mechanisms of preserving the data subjects’ privacy rights, it recognizes there are types of cases where it is not needed. Some of these are:
A contractual necessity - when personal data is processed on the basis that it constitutes a legal obligation
Vital/public interests - the cases where data processing directly affects a “life or death” scenario of the data subject and where it’s required for the normal functioning of an institution serving public interest, respectively
Legitimate interests - this means that processing the data without explicit consent is possible insofar it represents a legitimate interest of the controller without overriding the rights or freedoms of the data subjects at hand
This can easily apply to visitor management - the legitimate interest kicks in whenever you collect the data of your visitors for security reasons or in order to generate an emergency list.
Or, contractual necessity would - in principle - allow you to handle the information about your visitor as long as this is required in your contract or by another law.
Regardless, a good visitor management system will allow for a range of scenarios and will respond to different options through settings and opt-ins. We've written extensively about what this means here.
Consult your legal counselor to accurately assess each situation in which explicit consent might not be necessary.
Myth 4: Regarding data retention, it’s enough to just delete the data from time to time
Fact: Implementing the "right to be forgotten" correctly is more complex than that
It might seem GDPR doesn't innovate that much regarding the data retention period. After all, the previous law also recognized the concept of not storing data for longer than necessary.
But in fact, for the first time it explicitly states that the period ought to be explicitly determined.
This is only seemingly an easy exercise and definitely isn't a case of "one size fits all". Even within the same organization, you might find clashing views on what this period should be, e.g.:
- the compliance department will argue that shorter retention period increases the compliance level
- the security department will want to have a longer period of retention to preserve access to information in case of a security incident and a subsequent investigation.
In any case, the criteria for selecting a given retention period should be clearly thought out and documented in case they ever need to be justified. This is not a simple task.
When it comes to visitor management, you will want to use software that adapts to your needs. Being able to automatically delete the data is a big advantage over analog solutions such as logbooks.
An example of an automatic deletion feature
Furthermore, it's important to also recognize different profiles of visitors who differ in their attitudes on whether their data should be stored, and if so, for how long.
Since delighting your visitors is a key reason to invest in a visitor management system, showing flexibility to their needs - especially for a sensitive issue like data privacy - goes a long way towards getting the ROI from such an investment.
Myth 5: A processing agreement with the reception is not needed
Fact: The reception of a building is actually your data processor: you need to have an agreement
Very often, your company is just one of the tenants in the building where your office is located. Most of the time, in these cases it's one of the two scenarios:
Your property manager either staffs their own reception or
They subcontract it to a third party, such as a security firm
As such, it’s important to note that you should have a formal agreement with either the property manager (on top of your main agreements), or with the subcontractor, denoting the rights and obligations around data collection and processing from both parties.
In the latter case, ideally the property manager will be your liaison at the time of signing the lease agreement and offer to swiftly take care of this as well.
What matters is you end up with a formal agreement with the subcontractor (who is really a subprocessor here), either directly or via proxy to the property manager.
We expect this to become a normal, expected occurrence with time, if it hasn’t already.
GDPR is knocking at the door. We're holding a monthly webinar on GDPR, how it affects visitor management and what you need to do to prepare for it with the help of experts from Crowell & Moring.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.