As such, GDPR fines exist to keep businesses accountable. If you need a bit more background before diving deeper into this topic, then please do head over to our GDPR guide and I'll see you back here shortly.
These fines are actually avoidable, especially around your visitor management. But like the saying, "it takes a village," it really does take a holistic approach from your organization.
You can definitely start with saying goodbye to the sign-in sheet. Why?
This was just one revelation we had when we asked 2,000 business professionals around the US and UK about their experiences in corporate lobbies around the world.
These are the heavier fines for more serious violations. Read: Stomping on the very principles of the right to privacy and the right to be forgotten.
This is where the fines jump to 4% or up to $24 million, of your organization's worldwide annual revenue from the prior year.
Some of the infringements involve articles specific, but not limited, to:
GDPR's core principles around processing of personal data:Articles 5, 6 and 9
Achieving fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. That's a mouthful, but it's also at the heart of GDPR, even as it relates to your GDPR visitor sign-in according to experts.
Required for collecting visitor data (or data subjects at large).
EXCEPT: You do not have to ask for consent in every single situation. You have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company. There's more about this in our GDPR compliance checklist for your visitor management system.
They're going through the ringer for falling short of doing everything they could to comply with GDPR.
With fines in amounts upwards of $229 million, it's important to note that it's not only big names getting hit with penalties.
There are hundreds of GDPR penalties that have been doled out since the regulation's passing in March of 2018, just not as massive or hurled into the public eye as the ones mentioned above.
Failure to delete data gives Denmark's Data Protection Authority (DPA) their first acts of power
In April 2019, data deletion and data minimization took the GDPR spotlight in Denmark for the first time.
Clear in GDPR's bylaws, it states: Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The data subject shall have the right to withdraw his or her consent at any time.— Article 7(3) of GDPR
However, Danish taxi company Taxa failed to delete customer data—telephone numbers to be exact—inside the 2-year data retention period. Their fine was to the tune of roughly €160,000.
Furthermore, in June 2019, the Danish DPA also proposed a fine of €200,000 on IDDesign, a trendy Scandinavian interior design company—and this also for failure to delete data of its customers.
But remember, it's not only your customers' data you must manage.
Chronologically, the Visitor Management System (or the logbook) will be the first thing the auditor will see. We heard from clients' stories about auditors who started their day by playing with the front desk iPad for one hour and seeing it from a data privacy perspective.— Geoffroy De Cooman, Head of Product, Proxyclick
Yes. Your company's visitors' details also fall under GDPR's data minimization. So it's important to make sure the visitor management solution you implement allows you to set your visitor data retention periods.
With Proxyclick, it's possible to do that in two ways: Manually, or automatically.
So not only will you be able to more easily comply with data minimization, but you'll be able to show the automated process you have in place when it comes time for an audit.
You can dive deeper in "Checking into data privacy," our free e-book about the steps involved to get to a GDPR-compliant front desk.
A hotel employee left a printed list of their guests laying around their restaurant's front desk. The list was photographed by passerby and subsequently shared publicly, leaking the personal data of said guests!
Not only is this a nightmare for the guests—can you imagine having your personal info passed around without your knowing? But it also resulted in a sanctioned fine of €15,000.
The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.— European Data Protection Board
Truth be told, I didn't know about this particular hotel's "breach in data" until recently. I'd be lying if I said I wasn't tempted to send this blog post back to the lovely hotel I stayed at last month just so they're aware of the risks.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.