The news this week that firms in Europe have been collectively fined €273m for GDPR infringement, highlights the importance of ensuring your visitor management follows strict GDPR regulations. How can we store visitor data safely, but most importantly, easily? In this blog, we will cover:
- An introduction to General Data Protectuib Regulation
- Why do we need to consider GDPR compliance in visitor management?
- Why don’t we use paper visitor books?
- A checklist to ensure your visitor management’s GDPR compliance
- How visitor management systems can help
What is GDPR?
The General Data Protection Regulation affects May 2018 as the strictest law of its kind in the world. Drafted in the European Union, it relates to any organisation that stores and processes the data of any countries that are in the EU. Even if the country you operate in is not part of the EU.
Thanks to the evolution of technology, millions of companies around the globe hold a mass of consumer data. Any personal data of people in the EU such as names, addresses, date of birth, purchases, and bank details must now be stored in a specific way and for a specific time frame.
Why do we need to consider GDPR Compliance in visitor management?
As we discussed how data plays an important role in office security, the existence of GDPR aims to strengthen individuals’ rights while ensuring the free flow of data in the digital market. The regulation amps up the role of several concepts such as visitor consent, deletion period, etc.
Should a company break GDPR, the result can be huge penalties; either €20 million or 4% of global revenue. Can you afford to break GDPR?
The natural process of visitor management
In any organisation, visitor data is commonly collected to deliver a better visitor experience or ensure the building’s safety. Organisations collect personal data of people who enter and exit their offices. Whatever the purpose is, the manual process of collecting, managing, and erasing the data requires techniques and experience which might lead to a single point of failure.
Using paper visitor book for GDPR Compliance
Ensuring Visitor Privacy
No matter how you collect data from visitors, it must be handled, stored and deleted according to GDPR. It’s not just data that is collected electronically; visitor sign-in sheets or anything was written down on paper should be included.
If you use paper sign-in books to collect visitor details during their check-in process, you’re putting yourself at a significantly higher risk. Letting your visitor see the previous visitor’s information could break the GDPR.
Data Safety
Ensure your visitor details are stored securely and deleted after a certain time period.
Compared to companies that use visitor management systems to store data, paper can easily be stolen, photographed or misplaced, failing to comply with GDPR.
Data Purpose Limitation
GDPR stated the purpose limitation of collecting your visitor’s details, meaning that you must only collect necessary details. If you are using sign-in sheets, reception staff must ensure relevant documents are provided to different types of visitors, such as contractors, guests, cleaning services, etc.
9 areas to ensure your Visitor Management’s GDPR Compliance
In order to stay compliant with GDPR, Facilities Managers should already have worked with IT to put a visitor management policy in place that handles sensitive data.
However, if you’re currently working to improve your reception services, it’s worth coming back to this subject to be sure you’re always following the data privacy regulation.
According to GDPR’s core principles, recommendations are given based on GDPR Associates’ advice. Here is the step-by-step checklist to improve your Visitor Management GDPR compliance.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Data accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- Write a clear visitor management policy
- Visitor management system and GDPR compliance
1. Lawfulness, fairness and transparency: Ask for consent
You should collect and use personal data fairly, without breaching any laws. It is important to ask for consent to use and store personal data and be honest about why it’s needed and how long it will be kept. In this case, you can
- Allow your visitors to confirm they have read the privacy policy
- Allow options for visitors which data can be stored in your visitor management system
2. Purpose limitation: Have a clear purpose of why you collect personal data
You must have a legitimate interest in collecting personal data. Be clear about why you want it and how it will be used. The visitor management GDPR establishes visitors’ legal right to know what you plan to do with their information. If you need to know a visitor’s full name, address, and other personal information, you must explain why you need it.
For visitor management purposes, the reasons might be:
- Security purposes – to identify unauthorized visitors or ensure your building’s safety.
- In case of an emergency
- To report visitor numbers/ visitor types
- Create a digital log for a faster check-in next time
3. Data minimisation: Only collect personal data you need
This principle of visitor management GDPR relates to collecting adequate relevant and limited visitor data. The amount of data that you’re collecting and only collecting what is necessary. For visitor management, you should only ask for the data that you need to fulfil a purpose. For example, take a mobile number so they can receive text notifications in the event of an emergency.
4. Data Accuracy
Visitor data should remain accurate if data changes. For example, if a visitor has changed their address by the next time they visit, company records should be updated with the new address in a timely manner
To remain your visitor data accurate, every time an updated visitor’s detail in Outlook will populate a visitor management system, Your front desk and facilities managers are always fully aware of expected visitors, and meeting changes without rekeying in the visitor’s details.
5. Storage limitation: Make sure you erase visitor data easily or upon request
You shouldn’t keep personal data longer than necessary, and your organisation will already have a policy in place regarding this. There is no hard rule of how long you can keep your visitor data, organisations need to decide on the GDPR-compliant process together and decide the retention period and when to delete data accordingly.
For visitor management, you should follow your organisation’s policy, with a process in place that erases or anonymises the data once the time period has lapsed. You should make all visitors aware of how long you’ll store their data, as per your company policy.
Instead of manually deleting them, a digital reception system features an automatic visit deletion which will automatically delete the visitor logs after a specified number of days.
6. Integrity and confidentiality: Make sure your data is encrypted
This principle relates to having effective security measures in place to protect personal data. A risk assessment should be undertaken to find out what risks are presented in withheld personal data, and mitigations should be put in place to help reduce the risk. You could also use methods such as encryption to protect data.
7. Accountability: Assign a Data Protection Officer (DPO)
Visitor management GDPR requires that you take responsibility for how data is managed and how you comply with the law. A Data Protection Officer (DPO) is someone who handles personal data, monitors the level of compliance with the GDPR, and advises on your data protection obligation.
8. Visitor management policy
The safest way to avoid fines is to have a visitor management policy in place which covers how you collect, handle, store and delete personal data. This should be a collaborative effort, written in conjunction with your Data Protection Officer and IT department.
Read how to write a visitor management policy
Stay Compliant with Vgreet Digital Visitor Management System
By digitally collecting and storing visitor details, you can save time and cost spent on staying GDPR compliant. With our partner’s above-industry-standard security features, you can expect to see the following with your Vgreet virtual reception:
- Data encryption in transit and at rest
- SAML-based SSO
- Granular access rights and privileges
- SCIM-based user provisioning
- Custom data retention for visitor management GDPR compliance
- SSL-only API security
- Domain Keys Identified Email (DKIM)
- Granted an ISAE 3000 Type I data privacy attestation
Digital visitor management journeys
Visitor management GDPR compliance is only one of the benefits of Vgreet visitor management system. Capture all visitors and deliver a digital visitor management journey that is unsurpassed with more features, including branded invites, maps to guide visitors to the office, pre-registration to comply with health and safety and touchless three-second check-in.
Download the Vgreet brochure
Further reading