The simple guide to GDPR and visitor management

For organizations who are ready to commit to data privacy for visitor data

Since May 25, 2018, we often associate the General Data Protection Regulation (GDPR) with technology—specifically, with surfing the web.

That's because we've all landed on webpages only to have to tick off boxes and click our consent away relating to our data collection. For many of us, it's almost become an automated response. It's strange to land on a website in 2019, and not be touched by the ripple effect of GDPR.

Simply put, businesses must be GDPR-compliant when it comes to their website visitors. That's pretty much a no-brainer. 

 

However, there's something else you need to remember: Your organization must also be GDPR-compliant in dealing with visitors to your office.

And this is where things get trickier. That's why we've created this guide. 

GDPR is not a game but you do need a strategy when it comes to GDPR-compliant visitor management.

So here's what we'll cover:

Table of contents

  1. The basics of GDPR-compliant visitor management 
    1. Why was GDPR put in place?
    2. What does GDPR have to do with visitor management?
    3. Is a paper sign-in sheet exempt from GDPR? 
    4. Are US companies required to have GDPR-compliant visitor management?
    5. Who is involved in GDPR and visitor management?
  2. Defining the terminology
    1. Glossary of terms related to GDPR-compliant visitor management
  3. Some numbers related to GDPR (and visitor management)
    1. Proxyclick's research
    2. The European Commission's research
    3. Research from the International Association of Privacy Professionals (IAPP)
  4. Proxyclick's commitment to privacy
  5. Steps to ensure your visitor management system is GDPR-compliant
    1. Assess how visitor data will be collected
    2. Only collect data that is needed
    3. Don't store visit details longer than necessary
    4. Determine the level of visitor consent needed
    5. Clearly define rights and obligations 
    6. Be prepared to demonstrate GDPR-compliance
  6. Additional resources related to GDPR-compliant visitor management 
    1. Blog articles
    2. Helpful (free) templates
    3. White paper
    4. Recorded webinar

1. The basics

Why was GDPR passed in the first place?

For many people, the real question is, "Why wasn't the General Data Protection Regulation passed sooner?"

It protects the privacy of everyday (EU) citizens and keeps businesses accountable for the enormous amount of information they collect.

Good to know

The GDPR puts in place general principles that have to be respected when processing personal data. These are:

  • Fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

GDPR is more common sense than anything else. And it's based on principles that should already live in the heart of how your organization processes personal data.

What does GDPR have to do with visitor management?

We define visitor management as the act of tracking the people who come and go from your premises. As such, there is personal data collected.

GDPR applies to any processing of personal data (e.g. data that can be linked to an individual such as names, email addresses, car registration numbers, or pictures).

In this way, GDPR has fundamental implications for the way visitor data is collected and managed.

This applies just as much to businesses using the old paper logbook as it does to those with an advanced visitor management system in place.

Is a visitor sign-in book exempt from GDPR?

Absolutely not.

In fact, and contrary to popular belief, GDPR is based on tech neutrality: 

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing...

— GDPR Recital 15, General Data Protection Regulation

This means that your organization is at risk if you're sticking to pen and paper visitor management.

Using a paper visitor logbook raises a number of red flags around confidentiality, storage, and management of visitor data. Not only will you have an administrative nightmare on your hands, but you'll also be increasing the margin of human error (you'll see why a little later).

Serious infringements against GDPR have happened already, to the tune of more than EUR 50,000,000 since the law came into effect on May 25, 2018. 

Are U.S. companies also affected by GDPR-compliant visitor management?

Yes and no. It depends on your business.

GDPR applies only to certain companies:

  1. those based in the EU, and
  2. those that gather personal data from European citizens

If your business falls into either of these categories, then absolutely yes, your visitor management system must comply with GDPR.

Who are the stakeholders in GDPR-compliant visitor management?

There are 3 main stakeholders when it comes to GDPR and visitor management:

  1. Your visitor aka the Data Subject
  2. Your company aka the Data Controller
  3. Your software aka the Data Processor

 

gdpr-and-visitor-management-data-subject

Your visitor

The Data Subject:

The resident of the EU in question whose personal data is being processed

gdpr-and-visitor-management-data-controller

Your company

The Data Controller

The entity that determines the purpose and method of the data processing.

gdpr-and-visitor-management-data-processor

Your software

The Data Processor

The entity (e.g. Proxyclick) that processes data on behalf of a Controller

2. Glossary of terms: GDPR-compliant visitor management

At Proxyclick, we're not fans of throwing around words nobody understands.

So we've compiled a list of key terminology defining the topic of GDPR and visitor management, listed in alphabetical order: 

Consent— This is any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent as a legal basis can be withdrawn by the individual at any time. Therefore, it is often advisable to investigate whether other legal bases are possible.

Data Controller — The entity which alone, or jointly with others, determines the purposes and means of certain processing of personal data. It is the entity that determines why and how a certain set of personal data is processed.

Data Minimization — The act of only collecting personal that is needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purposes.

Data Processing — Any operation performed on personal data, manually or automatically, from the collection of the data to its destruction. This includes collecting, storing, sharing, viewing altering, using it for marketing purposes, payroll administration, etc. – until deletion.

Data Processing Agreement (DPA) — A special agreement that has to be signed between the controller and the processor and sets out the obligations processor has towards the processor. This applies to agreements entered into between controllers and processors as of 25th of May, 2018, but it also applies to collaborations that were already in place before this date, in which case the current agreements ought to be reviewed and updated, typically via an addendum.

Data Processor — An individual or an entity which processes personal data on behalf of a controller. 

Data Protection Officer (DPO) — The person in the company designated to advise on the obligations the controller or processor has under the GDPR and monitors the level of compliance with the GDPR.

Data Subject – The person to whom a piece of personal data belongs. An individual who can be clearly identified from the data in question.

Legitimate interests — Legitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed. To see whose interest prevails, a balance of interests test will have to be performed.

Personal data — Any information relating to an identified or identifiable natural person, namely, the "Data Subject.". If a set of data can be attributed to an individual, it is considered personal data, even when the data is used in a business environment. 

Right to erasure (“right to be forgotten”) — An individual can require a controller to delete their personal data when the continued processing of that personal data is no longer justified.

For more clarification, and examples, you can download our GDPR white paper: Checking into data privacy

3. The State of GDPR and visitor management

Proxyclick's research

In 2018, we asked 2000 office workers across the UK and the US to tell us more about their visitor experiences in corporate lobbies. 

Among the key findings in our 2018 Front Desk Experience Survey were real-life implications of data privacy:

The EU Commission's research

On January 28, 2019—Data Privacy Day, or Data Protection Day as the European Commission likes to call it—nearly 9 months of data was released by way of this infographic:

According to the European Data Protection Board, from May 2018, to January 2019, there were a reported:

  • 95,180 complaints to Data Protection Authorities under the GDPR
  • 41,502 notifications of data breaches
  • 255 cases of cross-border investigations
  • EUR 50,025,280 in fines issued under GDPR
  • 23 out of 28 adoptions of national legislation in EU Member States
  • 300,000 mentions of GDPR in the media, in 2018, compared to Mark Zuckerberg's 100,000
  • Higher Google search volume for GDPR than that of Kim Kardashian and Beyoncé in May 2018 

Besides the post-GDPR apocalyptic fines and complaints that ensued, it's important to note the entertainment value of this reporting. The EU Commission has quite a healthy sense of humor to go with its keeping up with current events via celebrity name-dropping.

But such spikes in reported complaints and data breach notifications are no laughing matter. In all seriousness, now's the time to buckle down and reaffirm your commitment to data privacy.

IAAP's research

The International Association of Privacy Professionals released in May 2019 a GDPR One Year Anniversary Infographic backed by their own survey results and research in recent years.

GDPR_Anniversary_Infographic-1

In fact, IAPP's reports that under the GDPR, nearly 500,000 organizations have registered data protection officers across Europe. Needless to say, their survey results indicate that this is a prime time to be in the business of data protection.

4. Proxyclick's commitment to privacy

At Proxyclick we did not wait for GDPR to commit to privacy. It has always been an integral part of our offering. 

We are the only VMS to have been granted an ISAE 3000 Type I data privacy attestation, based on 5 leading international frameworks.

Proxyclick privacy audit proof ISAE 3000 Type I certification

Here’s where we are on our GDPR journey:

  • Setting up an internal team dedicated to GDPR - DONE
  • Hiring legal counsel - DONE
  • Reviewing our process and product - DONE
  • Data hosting within the EU - DONE
  • Adapting our legal texts (terms and conditions, DPA to reflect GDPR) - DONE
  • Appointing a DPO (Data Protection Officer) - In progress
  • Defining a data breach notification process - DONE
  • Publishing a checklist that helps you assess your processing of visitor data according to GDPR - DONE
  • Updating our Terms & Conditions specific to GDPR - DONE
  • Developing more data privacy and security features and adapting our product roadmap - DONE 
Chronologically, the Visitor Management System (or the logbook) will be the first thing the auditor will see. We heard from clients' stories about auditors who started their day by playing with the front desk iPad for one hour and seeing it from a data privacy perspective.

— Geoffroy De Cooman, Head of Product, Proxyclick

5. How to make sure your visitor management system is GDPR-compliant

You can be well on your way to a GDPR-compliant front desk in 6 steps:

6. Additional GDRP Resources

As a testament to our dedication to privacy and GDPR compliance, we have prepared a host of actionable content around the topic::

Blog articles

Templates

  • Sample clauses about consent for your NDAs: Instantly update your NDA for GDPR by adding the clause we provide, in 22 languages, asking for explicit consent. Use it now
  • Our sample Data Processing Agreement: Check it out now

Webinar

  • We have also hosted a series of webinars on the topic of GDPR and its implications on visitor management. The webinars were co-hosted by Geoffroy De Cooman, Managing Director and Head of Product at Proxyclick and Judith Bussé from Crowell & Moring. Watch the replay

As GDPR isn't a one-off exercise, but a mindset, we will continue to update this guide with timely content.

If you'd like to take action today, then contact us to keep this conversation going!

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.