The EU General Data Protection Regulation (GDPR) took full effect on May 25, 2018. Since then, as of December 2018, there were already more than 95,000 reported cases of GDPR violation. The fines associated with GDPR non-compliance can cost businesses up to 4% of their annual revenue. There are several high profile GDPR cases that are currently being tried. The biggest penalty imposed to date was against Google for a GDPR violation in France costing the tech giant 50 million euros. While most of these cases involve infringements on information collected online, the GDPR is technology agnostic. This means that as long as you’re collecting personal data, you’re required by law to comply.
Most businesses focus on customer data, but they often overlook one important area: visitor management. It's possible that a number of companies have violated — and are currently violating — the requirements of the GDPR with the visitor management system (VMS) they’re using. In a survey among executives leading up to the full implementation of the GDPR, updating their office’s visitor management system wasn’t a priority.Without the right visitor management implementation and technology, you could be unintentionally violating the GDPR. The problem is, most office managers don’t know where to start in order to comply. Luckily, the GDPR lists core principles to make it easier for businesses to comply. We used these guidelines to put together a simple checklist that you can follow in evaluating whether your VMS is GDPR compliant, including a graphic for you to download and check off.
1. How Clear Is Your Transparency?
What the GDPR says: “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.”
What it means to your visitor management system: You cannot collect your visitors’ personal information for the sake of data collection. You should outline the specific reasons as to why you’re collecting their personal data and how you’re collecting, processing, storing and securing the information they’re going to give. This could vary from one visitor to another depending on their purpose in visiting your site or office.
VMS Transparency Checklist:
- Does your VMS have an interface outlining the purpose of why you’re collecting data?
- Are you communicating to your visitors how you’re going to process, store and secure their personal information?
- Are you communicating data collection transparency in a way that is easily understandable (i.e. using simple language or visuals)?
2. The Specifics of Consent
What the GDPR says: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
What it means to your visitor management system: Your VMS should contain a clear consent statement that they are willingly giving their personal data for the purposes that you’ve outlined. Tick boxes and “I Agree” buttons are common executions to get consent.
However, contrary to a common GDPR misconception in which explicit consent must be given from every visitor upon sign in, the law states that obtaining consent in every situation is not necessary when personal data is collected for the legitimate interest of the data controller (as long as it’s done without unjustified adverse effects on the individuals concerned). This could be done by having visitors digitally sign an agreement.
VMS Consent Checklist:
- Do you communicate a clear consent statement?
- Does your VMS have tick boxes or “I Agree” buttons with the sufficient accompanying text to make it clear what they’re agreeing to?
- Do you have a digital agreement that your visitors can digitally sign when collecting personal data of legitimate interest to your data controller (i.e. for the purpose of security, etc.)?
3. Data Minimisation: Collect Only What You Need
What the GDPR says: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
What it means to your visitor management system: Gone are the days when you can collect all the personal data you want just in case you might need it. The GDPR limits the information you can collect from your visitors to what you need and with a clearly defined purpose. You should also periodically review the visitor data you collected and delete what is not needed.
VMS Data Minimisation Checklist:
- Do you only collect visitor data that you need for specific purposes?
- Do you periodically review the data you collect and delete the information you no longer need?
4. Right to be Forgotten
What the GDPR says: “To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data.”
What it means to your VMS: You don’t have perpetual ownership over the data you collect from your visitors. Your VMS should have an easy data searchability feature if and when your visitors request that their information be deleted from the system. A best practice for compliance is setting your VMS to automatically delete a visitor’s personal data after a set period of time.
VMS Right to be Forgotten Checklist:
- Do you have a process in place to periodically erase visitor data?
- Does your VMS have an easy data searchability feature so you can delete visitor data in a timely manner?
- Does your VMS have a feature that automatically deletes visitor data after a set time period?
5. Check Your Security Measures
What the GDPR says: “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”
What it means to your visitor management system: Talk to your visitor management system provider to ensure your visitors’ personal data is stored in a secured server. Additionally, ask for details on other security measures that are being implemented such as encryption and protection against brute force attacks. Your VMS should also have data recoverability features such as backups and restore points in case the primary database is lost or damaged.
VMS Security Checklist:
- Does your VMS provider store visitor data in a secured server?
- Does your VMS use the best practices in cybersecurity?
- Does your VMS allow you to recover data in case the main database is lost or damaged?
Partnering with a VMS Provider that Understands GDPR
Download your FREE visitor management checklist here: 14-point checklist for a GDPR compliant visitor management system.
We hope this helps you do an initial assessment of whether your VMS complies with the GDPR or not. If you’re still not sure, partnering with a VMS technology provider with an expert understanding of the GDPR will steer you in the right direction.
Photo credit: Hello I'm Nik 🇬🇧
