GDPR & Proxyclick
to GDPR and Data Privacy
GDPR and data privacy became THE hot topic of late 2017 thanks to the impending new law. It’s not surprising that these topics are relevant to us at Proxyclick as well.
On this page you can read more about the following:
- Most important facts on GDPR
- Our commitment to privacy
- What steps we are taking regarding GDPR compliance
- How to make your Proxyclick GDPR compliant
- Plenty of useful GDPR resources -- Including a way to instantly improve your compliance
Most important facts on GDPR
Here are some of the basic facts about GDPR (General Data Protection Regulation) that are important to know:
- The law was adopted in 2016 and will become enforceable in May 2018
- It updates and replaces Directive 95/46/EC (the 1995 Data Protection Directive) and strengthens rights of the data subjects while at the same time facilitating free flow of data
- Applies to organisations that perform data processing of private data on the territory of the EU but also those outside of it that operate with private data of EU citizens
- Infringement fines reach up to 4% of annual revenue
Our commitment to privacy
Privacy is a continuous mindset, not a one-time hurdle.
At Proxyclick we did not wait for GDPR to commit to privacy. It has always been an integral part of our offering. A good example is how we manage visitor profiles. Visitor profiles allows us to store permanent information like name or company separately from the temporary visit data.
We think it’s a great feature because:
- Storing profiles on the iPad allows returning visitors to quickly check-in
- Storing profiles on the Dashboard allows receptionists, assistants etc. to quickly pre-register returning visitors too
However, the data stored on the profile level needs to be protected according to different visitors' perspectives. On one hand, some visitors do not want their profile to be stored - different people have different sensitivities. On the other hand, some companies are reluctant to let their users access all visitors profiles from the Dashboard. We have to respect that too.
This is why Proxyclick comes with 7 features that protect the privacy of the visitor profile.
- 4 features to protect the visitor profile on the iPad: (1) disable returning feature; (2) remove profiles in bulk, (3) visitor privacy, (4) toggle switch.
- 3 features to protect the visitor profile in the Dashboard: (5) personal vs. shared address book, (6) restrict right to add profiles to the shared address book, (7) restrict right to see/use profiles from the shared address book .
These are the steps we are taking
regarding GDPR compliance
Sizeable fines alone are reason enough to take GDPR seriously. But really, it’s about a long-term commitment to protecting private data of EU citizens. Getting aligned to that as a company is important to us.
Here’s where we are on our GDPR journey:
- setting up an internal team dedicated to GDPR - DONE
- hiring a legal counsel - DONE
- reviewing our process and product - DONE
- adapting our legal texts (terms and conditions, DPA to reflect GDPR) - DONE
- appointing a DPO (Data Protection Officer) - DONE
- defining a data breach notification process - DONE
- publishing a checklist that helps anyone assess if they process visitor data according to GDPR - DONE
- developing missing features and adapting our product roadmap - IN PROGRESS
Through a mix of existing and new features, we have you covered. We offer different settings that allow you to respond to GDPR requirements according to your needs and context. To make it easier to decide, here’s a short summary of actions to take.
1. Ensure you only collect client data that you absolutely need (data minimization)
GDPR asks organizations that store and process data to only use the amount of data that is sufficient for the purpose of the operations. This is called data minimization.
Proxyclick offers a smart way to minimize data through smart rules. You can customize your check-in flow to ask different questions to different profiles of visitors, e.g. distinguish between partners, contractors and job candidates.
2. When collecting your visitor data, ask their consent and explain how you will use it
Your visitors must give explicit consent for their information to be collected as required by GDPR. Within Proxyclick, this can be done in 2 ways:
1) By adding a sentence in your NDA informing them about the ways you intend to use their data and by asking them to provide explicit consent by signing the document.
2) By displaying a toggle option for visitors to accept (or refuse) the storage of their profile information on the iPad. (You can activate this feature by choosing Recognize returning visitors > Based on email on this page.)
3. Make it easy for visitors to withdraw their consent
4. Store visit details for no longer than what is needed
Data retention period is an important concept emphasized in GDPR. In a nutshell, it means personal data should only be used for as long as it’s needed to carry out activities it facilitates, after which it ought to be deleted.
What should this period be? There is no right answer. We’ve seen examples with 1 week or 1 year.
Different companies will establish different retention periods.
Even within the same company, different departments can have different perspectives: the compliance team might want to limit the period as much as possible to minimize infringement risk, while the security department might want to store the data for longer to preserve a historical view, say, in case of investigation of an incident (e.g. theft).
How to delete the data in Proxyclick? One way is to use bulk deletion. In the Dashboard, you can choose up to 50 visit records at a time and choose the Delete Visits option. This then needs to be repeated manually in regular intervals to delete data older than the retention period.
5. Understand the notion of legitimate interests
...and how it applies to explicit consent.
Explicit consent of the data subject (visitor) is emphasized in GDPR but there is one thing good to know from the start: there’s exceptions to everything, including how this is applied.
There are legally justified cases where explicit consent is actually not needed, and the text of GDPR names some of them: “contractual necessity” or “legitimate interests of the company”.
According to our legal counselors, what this means - in practical terms - is that you don’t need to ask explicit consent every time you process visitor data in, for instance, your Outlook.
The same thing applies to saving the visitor profile in your dashboard, for example.
Strictly having to ask for consent every time you do something like this, would make it very unwieldy to the point of almost being useless.
We believe that, luckily, many of the actions that are part and parcel of using a visitor management system satisfy the conditions of legitimate interests (security, scheduling…).
With that said, we do think it's important to offer various types of users the exact level of confidentiality that they need.
NOTE: Before you decide to apply the notion of legitimate interests, we recommend you get counsel from a legal expert.
Again, providing an adequate response to the GDPR is not a one-off exercise for us. We take the matter very seriously and will expand the ways we respond to different needs around data privacy.
A case in point, we are preparing an imminent release of the Automatic Deletion feature, the alternative to Bulk Deletion mentioned above. We think that Bulk Deletion gets the job done, but requires a certain degree of commitment and can be error-prone, which we believe can be improved.
That is why we will very soon ship this feature that allows you to "expire" your visit records after a certain number of days. By doing this, we will give you an option to solve this question painlessly and in a “set it and forget it” way.
The conversation on GDPR is just getting started! We have prepared some resources that can help you prepare better and learn more, whether you're a Proxyclick client or not.
As another testament to our dedication to privacy and GDPR compliance, we have been preparing a host of actionable content around the topic and will continue to do so in the weeks leading up to May 28 - and beyond:
- 'Is your visitor management GDPR-compliant' checklist [LINK]
- GDPR vs Paper logbook: Time to go digital - in this blog post experts sound off on the viability of paper visitor logbooks in the face of GDPR [LINK]
- Prepared-for-you clauses in 22 languages that instantly update your NDA for GDPR by adding information on purpose and asking for explicit consent - download now
We are also hosting a webinar on the topic of GDPR and its implications on visitor management.
The next webinar 'Is your company ready for GDPR?" is scheduled for:
- Thursday Feb 22nd, 2018; co-hosted by Geoffroy De Cooman, Managing Director and Head of Product at Proxyclick and experts from Crowell & Moring - sign up here
Finally, we invite you to take action and schedule a demo with our GDPR specialist on this page!