How your visitor management system can help you avoid GDPR fines

The last thing I think about when I'm on vacation is "GDPR."

Yet last month, when I was staying at a lovely hotel (who shall not be named in this blog), I was faced with a wholly non-GDPR-compliant scenario.

After a good night's sleep, my son and I made our way down to hotel's scrumptious breakfast spread. As the host greeted us, I noticed on his stand a few pieces of paper. 

On one of them, my name stood out to me immediately and next to it: my room number, home address, and telephone number. Even the smell of crisp bacon in the air didn't help ease my anxiety.

I asked the kind gentleman to "cover the guest info, please," and he didn't understand why. After two cups of coffee in my system, I went back to explain to him why.

The "why" in why are paper sign-in sheets not GDPR-compliant?

The very essence of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and by virtue of the authority vested in the UK's Information Commissioner's Office (ICO), is data privacy.

As such, GDPR fines exist to keep businesses accountable. If you need a bit more background before diving deeper into this topic, then please do head over to our GDPR guide and I'll see you back here shortly.

These fines are actually avoidable, especially around your visitor management. But like the saying, "it takes a village," it really does take a holistic approach from your organization.

You can definitely start with saying goodbye to the sign-in sheet. Why?

This was just one revelation we had when we asked 2,000 business professionals around the US and UK about their experiences in corporate lobbies around the world.

There's more about it in our Front Desk Experience Survey 2018. But your business can get fined for this very cause, so don't believe anyone telling you otherwise.

GDPR myths are the new urban myths of our time.

GDPR fines come in tiers

Fun Fact: If an organization has been fined for multiple GDPR violations, it will only be penalized for the most severe one.

But no two GDPR fines are alike and depending on the violation, your business will be penalized more severely.

To break it down into simpler terms, there are two possible degrees of severity:

Tier One

Monetarily, you can be fined 2%, up to $12 million, of your organization's worldwide annual revenue from the prior year. They include any violation of the articles specific to:

• Certification bodies
• Monitoring bodies
• Data Controllers and Processors: It's vital to have a Data Processing Agreement (DPA) in place with your visitor management solution provider. At Proxyclick, we've adapted our "legalese" to reflect GDPR. See our template

Tier Two

These are the heavier fines for more serious violations. Read: Stomping on the very principles of the right to privacy and the right to be forgotten.

This is where the fines jump to 4% or up to $24 million, of your organization's worldwide annual revenue from the prior year.

Some of the infringements involve articles specific, but not limited, to:

• GDPR's core principles around processing of personal data: Articles 5, 6 and 9 

• • Achieving fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. That's a mouthful, but it's also at the heart of GDPR, even as it relates to your GDPR visitor sign-in according to experts.
• Consent as a legal basis: Article 7
  • Required for collecting visitor data (or data subjects at large).
    • EXCEPT: You do not have to ask for consent in every single situation. You have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company. There's more about this in our GDPR compliance checklist for your visitor management system.
• The data subjects’ rights: Articles 12-22

Some notable GDPR fines: Google et al.

By now we've all seen the headlines about the big hitters:

• Google
• Facebook
• British Airways, and
• Marriott

They're going through the ringer for falling short of doing everything they could to comply with GDPR.

With fines in amounts upwards of $229 million, it's important to note that it's not only big names getting hit with penalties.

There are hundreds of GDPR penalties that have been doled out since the regulation's passing in March of 2018, just not as massive or hurled into the public eye as the ones mentioned above.

Failure to delete data gives Denmark's Data Protection Authority (DPA) their first acts of power

In April 2019, data deletion and data minimization took the GDPR spotlight in Denmark for the first time.

 

Clear in GDPR's bylaws, it states: Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

 

The data subject shall have the right to withdraw his or her consent at any time.— Article 7(3) of GDPR

However, Danish taxi company Taxa failed to delete customer data—telephone numbers to be exact—inside the 2-year data retention period. Their fine was to the tune of roughly €160,000.

 

Furthermore, in June 2019, the Danish DPA also proposed a fine of €200,000 on IDDesign, a trendy Scandinavian interior design company—and this also for failure to delete data of its customers.

 

But remember, it's not only your customers' data you must manage.

Chronologically, the Visitor Management System (or the logbook) will be the first thing the auditor will see. We heard from clients' stories about auditors who started their day by playing with the front desk iPad for one hour and seeing it from a data privacy perspective.— Geoffroy De Cooman, Head of Product, Proxyclick

Yes. Your company's visitors' details also fall under GDPR's data minimization. So it's important to make sure the visitor management solution you implement allows you to set your visitor data retention periods.

 

With Proxyclick, it's possible to do that in two ways: Manually, or automatically.

So not only will you be able to more easily comply with data minimization, but you'll be able to show the automated process you have in place when it comes time for an audit. 

 

You can dive deeper in "Checking into data privacy," our free e-book about the steps involved to get to a GDPR-compliant front desk.

The hotel sign-in sheet scenario revisited

In July 2019, World Trade Center Bucharest, was fined €15,000 for the very scenario I started this blog with.

 

A hotel employee left a printed list of their guests laying around their restaurant's front desk. The list was photographed by passerby and subsequently shared publicly, leaking the personal data of said guests!

 

Not only is this a nightmare for the guests—can you imagine having your personal info passed around without your knowing? But it also resulted in a sanctioned fine of €15,000.

The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.— European Data Protection Board

Having a digital visitor management system like Proxyclick, with granular access privileges, could have saved Work Trade Center Bucharest much time and trouble—and reputation to boot. (More about how we handle security here)

 

Truth be told, I didn't know about this particular hotel's "breach in data" until recently. I'd be lying if I said I wasn't tempted to send this blog post back to the lovely hotel I stayed at last month just so they're aware of the risks.

 

Would you?

 

***

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.