on December 14, 2018 Office tips

The Many Ways Your Paper Visitors' Book is Violating the GDPR & What You Can Do About It

Believe it or not, asking your office visitors to sign your paper logbook can cost you hefty fines — up to £20 million to be exact.

Businesses were caught scrambling to comply with the GDPR (the shorthand for General Data Protection Regulation) when it was implemented earlier this year.

However, a new study has revealed that many UK small business owners are still confused by the rules around data protection and privacy regulations. Of 1,000 surveyed, 86% admitted they do not dispose of paper visitor books securely and confidentially - leaving the personal data of millions of employees and customers at risk.

When putting GDPR procedures in place, it’s very likely that many organisations did so with one big misconception — that the new law only affects data collected online.

It doesn’t. The GDPR is technology-agnostic. It applies to all acts of personal data collection and processing, no matter how and where it takes place.

Visitor data = personal data. Period.

So, your paper visitors’ book is no exception. A paperless visitor management system has a number of benefits and GDPR compliance has become one of them. Before talking about the alternative, let’s dive into the different provisions under the GDPR that you could be violating when requesting your office visitors to fill out your paper visitors’ book, and how a digital visitor management system can provide a more compliant alternative.

Right to Be Forgotten

According to the GDPR: “The data subject shall have the right to withdraw his or her consent at any time.” It further states: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”

It is almost logistically impossible to comply with this GDPR requirement with a paper visitors’ book. Tearing a page from the logbook or erasing their personal data entry won’t cut it.

Also, there’s the case of multi-tenant buildings. If you lease an office space in one of these complexes, the control you have over the logbook your visitors are asked to sign when entering the premises is limited. Plus, do you even know what happens to the visitor books when they’re full? Are they stored somewhere safe to protect the data? Probably not.

An advanced visitor management system solves this predicament. Since visitor data is electronically collected and stored in the cloud, it is easy to search for a specific person’s information and delete it when such a request comes in. This upholds the spirit of the law requiring you to erase personal data without undue delay.

Consent for Personal Data & Visitor Agreements

Imagine this scenario. A high-profile potential client walks into your office. As per your norm, you ask him to fill out your paper visitors’ logbook. He jots down his personal details, and you don’t think twice about asking for his consent nor is it made clear on how you will use his personal information. In the scope of GDPR, this is a red flag.

According to the GDPR, when collecting data, “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication.”

So what does this mean?

There is a common misconception surrounding GDPR that explicit consent needs to be given from every visitor upon sign in. When in fact, the GDPR gives guidance that you do not have to ask for consent in every situation when collecting personal data. It is indeed possible where it represents the legitimate interest of the data controller (without unjustified adverse effects on the individuals concerned).

Therefore, implementing a digital visitor management system gives you legitimate grounds for collecting data, particularly as they facilitate: 

  • Physical security procedures
  • Data security procedures
  • Health and Safety procedures

Making use of the visitor agreement feature allows you to provide your visitors with a statement as to how and why you are collecting their data, as well as asking them to provide consent by digitally signing the document.

Security and Data Recoverability

There is nothing confidential and secure about a traditional visitors’ book.

If one logbook page can accommodate 20 entries, your 20th visitor for that day can easily see and pry on the personal data of the 19 visitors that came before him/her. This is a far cry from what the GDPR requires: “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”

Paper logbooks cannot be encrypted nor can they be password protected.

Also, a paper visitors’ book can be misplaced or stolen. Just take a look at this:Delight as stolen visitors’ books signed by Queen Victoria returned to Portsmouth  Read more at: https://www.portsmouth.co.uk/news/crime/delight-as-stolen-visitors-books-signed-by-queen-victoria-returned-to-portsmouthIf historic visitors’ books that were supposed to be heavily guarded were stolen, how much easier it would be to steal a visitor’s book propped open on a reception desk?

In addition, the data protection act requires “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” How are you going to comply with the data protection act with a paper visitors’ book? Creating multiple copies would be impractical, wouldn’t it?

With a visitor management system, especially if it’s from a trustworthy provider, several layers of data encryption and other measures can be implemented to protect your visitors’ data. Just like all electronic data, it’s easy to create backups and restore points in the event that the primary database is lost or damaged.

It’s Time to Retire the Paper Visitors’ Book

From where we stand, the retirement of paper visitors’ book is a long-time coming. Virtual visitor management systems have been around for a while, yet many offices and office buildings have postponed adopting such technologies. However, with the GDPR and the penalties it carries for non-compliance, it’s time for the paper visitors’ book to take its final bow and for advanced sign-in apps to take centre stage.

SwipedOn provides a digital visitor management system that has welcomed millions of visitors for thousands of businesses all over the world. Our visitor management specialists are dedicated to helping support your GDPR compliance, enhancing your brand and visitor experience. Our digital solutions show our deep passion to reduce paper waste and we plant a tree for every customer who joins SwipedOn. Sign up for a 14-day free trial with us.

GDPR iPad stand

 

Amy Gallagher

Amy is our Marketing Assistant at SwipedOn.