How your visitor management system can help you avoid GDPR fines

The last thing I think about when I'm on vacation is "GDPR."
Yet last month, when I was staying at a lovely hotel (who shall not be named in this blog), I was faced with a wholly non-GDPR-compliant scenario.
After a good night's sleep, my son and I made our way down to hotel's scrumptious breakfast spread. As the host greeted us, I noticed on his stand a few pieces of paper.
On one of them, my name stood out to me immediately and next to it: my room number, home address, and telephone number. Even the smell of crisp bacon in the air didn't help ease my anxiety.
I asked the kind gentleman to "cover the guest info, please," and he didn't understand why. After two cups of coffee in my system, I went back to explain to him why.
The "why" in why are paper sign-in sheets not GDPR-compliant?
The very essence of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and by virtue of the authority vested in the UK's Information Commissioner's Office (ICO), is data privacy.
As such, GDPR fines exist to keep businesses accountable. If you need a bit more background before diving deeper into this topic, then please do head over to our GDPR guide and I'll see you back here shortly.
These fines are actually avoidable, especially around your visitor management. But like the saying, "it takes a village," it really does take a holistic approach from your organization.
You can definitely start with saying goodbye to the sign-in sheet. Why?
This was just one revelation we had when we asked 2,000 business professionals around the US and UK about their experiences in corporate lobbies around the world.
There's more about it in our Front Desk Experience Survey 2018. But your business can get fined for this very cause, so don't believe anyone telling you otherwise.
GDPR myths are the new urban myths of our time.
GDPR fines come in tiers
Fun Fact: If an organization has been fined for multiple GDPR violations, it will only be penalized for the most severe one.
But no two GDPR fines are alike and depending on the violation, your business will be penalized more severely.
To break it down into simpler terms, there are two possible degrees of severity:
Tier One
Monetarily, you can be fined 2%, up to $12 million, of your organization's worldwide annual revenue from the prior year. They include any violation of the articles specific to:
- Certification bodies
- Monitoring bodies
- Data Controllers and Processors: It's vital to have a Data Processing Agreement (DPA) in place with your visitor management solution provider. At Proxyclick, we've adapted our "legalese" to reflect GDPR. See our template
Tier Two
These are the heavier fines for more serious violations. Read: Stomping on the very principles of the right to privacy and the right to be forgotten.
This is where the fines jump to 4% or up to $24 million, of your organization's worldwide annual revenue from the prior year.
Some of the infringements involve articles specific, but not limited, to:
- GDPR's core principles around processing of personal data: Articles 5, 6 and 9

-
- Achieving fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. That's a mouthful, but it's also at the heart of GDPR, even as it relates to your GDPR visitor sign-in according to experts.
- Consent as a legal basis: Article 7
- Required for collecting visitor data (or data subjects at large).
- EXCEPT: You do not have to ask for consent in every single situation. You have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company. There's more about this in our GDPR compliance checklist for your visitor management system.
- Required for collecting visitor data (or data subjects at large).
- The data subjects’ rights: Articles 12-22
Some notable GDPR fines: Google et al.
By now we've all seen the headlines about the big hitters:
They're going through the ringer for falling short of doing everything they could to comply with GDPR.
With fines in amounts upwards of $229 million, it's important to note that it's not only big names getting hit with penalties.
There are hundreds of GDPR penalties that have been doled out since the regulation's passing in March of 2018, just not as massive or hurled into the public eye as the ones mentioned above.
Failure to delete data gives Denmark's Data Protection Authority (DPA) their first acts of power
The data subject shall have the right to withdraw his or her consent at any time.— Article 7(3) of GDPR
Chronologically, the Visitor Management System (or the logbook) will be the first thing the auditor will see. We heard from clients' stories about auditors who started their day by playing with the front desk iPad for one hour and seeing it from a data privacy perspective.— Geoffroy De Cooman, Head of Product, Proxyclick

The hotel sign-in sheet scenario revisited
The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.— European Data Protection Board
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.