For organizations who are ready to commit to data privacy for visitor data
Since May 25, 2018, we often associate the General Data Protection Regulation (GDPR) with technology—specifically, with surfing the web.
That's because we've all landed on webpages only to have to tick off boxes and click our consent away relating to our data collection. For many of us, it's almost become an automated response. It's strange to land on a website in 2019, and not be touched by the ripple effect of GDPR.
Simply put, businesses must be GDPR-compliant when it comes to their website visitors. That's pretty much a no-brainer.
However, there's something else you need to remember: Your organization must also be GDPR-compliant in dealing with visitors to your office.
And this is where things get trickier. That's why we've created this guide.
GDPR is not a game but you do need a strategy when it comes to GDPR-compliant visitor management.
So here's what we'll cover:
The GDPR puts in place general principles that have to be respected when processing personal data. These are:
GDPR is more common sense than anything else. And it's based on principles that should already live in the heart of how your organization processes personal data.
We define visitor management as the act of tracking the people who come and go from your premises. As such, there is personal data collected.
GDPR applies to any processing of personal data (e.g. data that can be linked to an individual such as names, email addresses, car registration numbers, or pictures).
In this way, GDPR has fundamental implications for the way visitor data is collected and managed.
This applies just as much to businesses using the old paper logbook as it does to those with an advanced visitor management system in place.
In fact, and contrary to popular belief, GDPR is based on tech neutrality:
This means that your organization is at risk if you're sticking to pen and paper visitor management.
Using a paper visitor logbook raises a number of red flags around confidentiality, storage, and management of visitor data. Not only will you have an administrative nightmare on your hands, but you'll also be increasing the margin of human error (you'll see why a little later).
Serious infringements against GDPR have happened already, to the tune of more than EUR 50,000,000 since the law came into effect on May 25, 2018.
Yes and no. It depends on your business.
GDPR applies only to certain companies:
If your business falls into either of these categories, then absolutely yes, your visitor management system must comply with GDPR.
There are 3 main stakeholders when it comes to GDPR and visitor management:
The resident of the EU in question whose personal data is being processed
The entity that determines the purpose and method of the data processing.
The entity (e.g. Proxyclick) that processes data on behalf of a Controller
At Proxyclick, we're not fans of throwing around words nobody understands.
So we've compiled a list of key terminology defining the topic of GDPR and visitor management, listed in alphabetical order:
Consent— This is any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent as a legal basis can be withdrawn by the individual at any time. Therefore, it is often advisable to investigate whether other legal bases are possible.
Data Controller — The entity which alone, or jointly with others, determines the purposes and means of certain processing of personal data. It is the entity that determines why and how a certain set of personal data is processed.
Data Minimization — The act of only collecting personal that is needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purposes.
Data Processing — Any operation performed on personal data, manually or automatically, from the collection of the data to its destruction. This includes collecting, storing, sharing, viewing altering, using it for marketing purposes, payroll administration, etc. – until deletion.
Data Processing Agreement (DPA) — A special agreement that has to be signed between the controller and the processor and sets out the obligations processor has towards the processor. This applies to agreements entered into between controllers and processors as of 25th of May, 2018, but it also applies to collaborations that were already in place before this date, in which case the current agreements ought to be reviewed and updated, typically via an addendum.
Data Processor — An individual or an entity which processes personal data on behalf of a controller.
Data Protection Officer (DPO) — The person in the company designated to advise on the obligations the controller or processor has under the GDPR and monitors the level of compliance with the GDPR.
Data Subject – The person to whom a piece of personal data belongs. An individual who can be clearly identified from the data in question.
Legitimate interests — Legitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed. To see whose interest prevails, a balance of interests test will have to be performed.
Personal data — Any information relating to an identified or identifiable natural person, namely, the "Data Subject.". If a set of data can be attributed to an individual, it is considered personal data, even when the data is used in a business environment.
Right to erasure (“right to be forgotten”) — An individual can require a controller to delete their personal data when the continued processing of that personal data is no longer justified.
For more clarification, and examples, you can download our GDPR white paper: Checking into data privacy
In 2018, we asked 2000 office workers across the UK and the US to tell us more about their visitor experiences in corporate lobbies.
Among the key findings in our 2018 Front Desk Experience Survey were real-life implications of data privacy:
On January 28, 2019—Data Privacy Day, or Data Protection Day as the European Commission likes to call it—nearly 9 months of data was released by way of this infographic:
According to the European Data Protection Board, from May 2018, to January 2019, there were a reported:
Besides the post-GDPR apocalyptic fines and complaints that ensued, it's important to note the entertainment value of this reporting. The EU Commission has quite a healthy sense of humor to go with its keeping up with current events via celebrity name-dropping.
But such spikes in reported complaints and data breach notifications are no laughing matter. In all seriousness, now's the time to buckle down and reaffirm your commitment to data privacy.
The International Association of Privacy Professionals released in May 2019 a GDPR One Year Anniversary Infographic backed by their own survey results and research in recent years.
In fact, IAPP's reports that under the GDPR, nearly 500,000 organizations have registered data protection officers across Europe. Needless to say, their survey results indicate that this is a prime time to be in the business of data protection.
At Proxyclick we did not wait for GDPR to commit to privacy. It has always been an integral part of our offering.
We are the only VMS to have been granted an ISAE 3000 Type I data privacy attestation, based on 5 leading international frameworks.
Here’s where we are on our GDPR journey:
As a testament to our dedication to privacy and GDPR compliance, we have prepared a host of actionable content around the topic::
As GDPR isn't a one-off exercise, but a mindset, we will continue to update this guide with timely content.
If you'd like to take action today, then contact us to keep this conversation going!