GDPR vs paper logbook: More than ever, time to go digital
Added on Jan 31, 2018 by Filip Galetic
After looking at what features should be included in a GDPR-compliant Visitor Management System, we now look at the "system" still used by many companies - the paper logbook. How does it fare against the new strict rules set by GDPR? We talked with a few experts on the new data privacy act.
GDPR has been THE super topic for awhile, with businesses waking up to the fact that the new law will be enforced in just a few short months. Yet not many of them have really figured out how to ensure compliance by the May deadline - and a far fewer of them realize what a threat the paper logbook might present in that respect.
We asked two GDPR experts to share their opinion on the paper visitor logbook and its compatibility with the up-and-coming data privacy law.
(Note: Their responses have been edited merely for clarity and to match the house style.)
Can the paper logbook pass the test of GDPR?
We talked about how GDPR and its innovations apply to the typical way of logging business visitors in a paper logbook with Karen Cheeseman, a GDPR consultant with background in data management and analysis, marketing and strategy, working with PrivacyTrust who offer privacy & GDPR solutions to businesses:
Karen Cheeseman: It's important to consider who can see the private data
"It could be said that a paper based system is difficult to manage, it could be time consuming, it may not provide the ideal level of security and that anyone can read the logbook. A lot if this depends on what the organization does with the data. Is it simply a way of knowing who is in the building at a given time or is the organization storing and using that information to use for another purpose, such as marketing or profiling? If it is simply for knowing who is in the building at a given time, then the main points to make are data privacy. The organization should ensure that the names of those who have previously signed in are not visible to the next individual."
The paper logbook on the other hand, leaves the records of previous visitors easily visible to anyone who looks at them. Even the solutions intended to prevent this from happening, such as 'discreet sheets' or 'peel off systems' are imperfect and can be easily tampered with.
On top of the danger to GDPR compliance, the paper logbook makes for a less than perfect impression to your clients, suppliers and stakeholders - especially when there are far more elegant solutions out there.
Nevertheless, as Ms Cheeseman further explains, its not even just about privacy when it comes to GDPR and the paper logbook:
The problem lies in the fact that it's hard to ask for consent elegantly via the paper logbook. Do you ask each visitor verbally and if so, what if your front desk teams handle a large volume of visitors and/or make an error? You could include it written in the logbook but then it would be very hard to make sure it's read by each visitor. Furthermore, it's important to ensure that different profiles of visitors are respected: those that value ease of use and swift access (e.g. recurrent visitors) versus added level of privacy and the right to not have their data stored for a long time.
Evidently, using a paper logbook results in a quickly mounting heap of questions and potential errors. We wrote more extensively about settings and features a visitor logging system should have to align with the norms of GDPR - it's distressingly obvious that it would be near impossible for a paper logbook to compete with what a digital solution can.
Ms Cheeseman continues:
"The organization should provide a Visitor Data Policy, it should state clearly the data that is collected from the individual, how the data is collected, why it is collected, how the information is used - the purpose it will be used for, how the information is stored, where it will be stored, how long it will be retained, who it will be shared with, the individuals rights - deletion, access, right to be forgotten. [...] Whatever visitor management you have in place you need to be able to show that it is compliant with GDPR, so think about why you need the data, what you need it for and how you are processing and storing it - think about data minimization."
How do you ensure you only ask the right questions to each visitor with the paper logbook? After all, in the real world, each of your visitor has a unique mission and relationship with your organization - they might be a job candidate, a delivery person, a partner or perhaps an auditor. Does it make sense to ask all of them the same questions?
With a digitized solution, these questions are far easier to solve: your visitors will only ever be asked what is absolutely necessary based on the information they provide. No need to ask - nor store - the information about someone's car license plate if they did not arrive with a car, for example.
Multi-tenant situation: multiple vulnerabilities
A paper logbook is especially vulnerable as well as a potential vector of vulnerability for your company in the multi-tenant context. We talked to Danko Pigac, a business consultant for Pragmatekh Ltd. with over 20 years of experience in corporate leadership positions, now helping private and public companies comply their business business with GDPR as well as teaching, writing and publicly speaking about the topic.
Danko Pigac: GDPR can be seen as a call for digitization of all business models
"Very often we see the paper logbook in lobbies of single or multi-tenant business buildings where security operatives check the identity of the visiting parties. Unfortunately, the paper logbook has quite some disadvantages in the face of GDPR. First of all, the book is usually very visible to visitors and in that way, it offers all personal data in plain sight. Also, security operatives are able to browse the book as they like with no control and no awareness of the personal data protection. Furthermore, nobody knows for sure what happens to the book once it is filled out to the last page and it’s not hard to imagine it's simply put in the ‘old paper’ bin with the other various paper records and disposed of publicly. Finally, the worst problem is that none of the companies in that building are aware of the fact that the security company logging visitors is their processor, since they are actually employed by the building owner and not by any of the companies. It’s the same situation even if the security personnel is employed by the company that is also the building owner and the only tenant."
Apart from the clear threat to the privacy and the potential to harshly infringe the GDPR provisions, the paper logbook also complicates the sharing of the information in the records:
"On the other hand, visitors have the right of access to information and they need to be able to know who is collecting and processing their data and for what purpose, for how long their personal data will be stored and who will have access to their data. And the same goes for companies who might ask to see the visitors list, but with the paper logbook, there’s no way they can get direct information just for their company. Unless the data is copied, they’ll get the full logbook copy with all other personal data not relating to their business."
As evidenced, using a paper logbook presents a potential minefield of infringements and breaches of GDPR law, and with GDPR coming into force in less than six months, acting quickly, but also acting smartly, is of utmost importance for businesses looking to avoid damages on multiple fronts.
Mr Pigac offered his view on the issue from the visitor management standpoint:
"As GDPR is actually a call for digitalization of all business models, I suggest to both, building owners and possibly even security companies to digitize the visitors logbook. That way they can manage data access, prevent unwanted access to personal data and have instant visitors reporting for tenants by simply using a computer application instead of a paper logbook. There’s a multitude of GDPR and data protection aspects they can cover using a proper digital solution which also helps simplify the logging process and make it faster and more convenient for repeating visitors."
We have prepared a host of content around GDPR, especially from the point of view of visitor management. We invite you to have a look at our GDPR hub page where we've laid out our own GDPR roadmap and talk in detail about how we are making Proxyclick apps GDPR-compliant.
Do you wish to learn more about GDPR, how it affects visitor management and what you need to do to prepare for it? Then sign upfor our upcoming webinar 'Is your company ready for GDPR?' co-hosted by our Product Owner and Managing Director Geoffroy De Cooman and the GDPR legal expert from Crowell & Moring law firm Judith Bussé.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.