Our suggestions on how to use SwipedOn for the GDPR
Archiving & Anonymization
Under the GDPR, your visitors or employees can request that you delete all of their personally identifiable information.
With SwipedOn, previously deleted employees were 'soft-deleted' - meaning their information was still available in the CSV export. We've now renamed this to the more functional title of 'Archive'.
We've also added an 'Anonymize' function that permanently anonymizes all personal information about a visitor or employee from the Archive tab for employees or Visits tab for visitors (rather than storing their personally identifiable information).
Under the GDPR, your visitors or employees can request that you give them a copy of all the personal data you have about them.
Visitor settings - privacy settings
Under the GDPR, appropriate technical measures shall be taken against unauthorised access to personal data.
We've added Privacy Settings that can disable the default display visitor name matches (auto-suggest) feature on the iPad. This mitigates any situation where a visitor with the same or similar name is exposed to other visitors personal data.
Our iPad UI handles the auto-suggest being turned off to improve the overall ease of use.
We've adjusted our iPad search to limit the results it returns in line with GDPR best practice.
Our suggested SwipedOn account set up for the GDPR
Visitor Settings - privacy settings
In the Setting > Visitors view, you can choose to use the following settings:
Turn this setting off if you do not wish your visitors to be remembered for a faster sign-in next time.
Display visitor name matches
Display visitor name matches (auto-suggest) is ON by default and will automatically match and present names after the first 3 letters are typed in the iPad. Turn this feature off if you do not want your visitors being exposed to other visitor names.
Display employee list
Turn this setting off if you do not wish your visitors to see a list of employees (hosts) to choose from when they sign in. The off-state will require the visitor to type the hosts' name.
Under the GDPR, you need to have a legal reason (called a lawful basis in the regulation) to use someone’s data.
In practice, it means that you must:
have legitimate grounds for collecting and using the personal data;
not use the data in ways that have unjustified adverse effects on the individuals concerned;
be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
handle people’s personal data only in ways they would reasonably expect; and
make sure you do not do anything unlawful with the data.
At SwipedOn, we certainly believe we have this covered. There is a common misconception surrounding GDPR that explicit consent needs to be given from every visitor upon sign in. In fact, the GDPR gives guidance that the processing of personal data is indeed possible where it represents the legitimate interest of the data controller (without unjustified adverse effects on the individuals concerned).
Using a visitor management system such as SwipedOn is certainly legitimate grounds for collecting data, particularly as it facilitates:
Physical security procedures
Data security procedures
Health and Safety procedures
In SwipedOn, you can make use of our Visitor Agreement feature to provide your visitors with a simple statement as to how and why you are collecting their data.
Here is all the information you need to get started with Visitor Agreements.
To keep a clean employee list, you can archive employees. This will move the employee from the 'Employees' tab into the 'Archive' tab and remove them from the employee In/Out list on the iPad.
Archive can be viewed as a 'soft delete' as the employee's information is still viewable on the Timeline page and in CSV exports.
Here is all the information you need to get started with How to Archive an Employee.
A key component of our GDPR product improvements has been the ability to Anonymize visitor or employee data permanently.
Anonymizing visitor or employee data will do the following:
Anonymize the visitor's or employee's name
Anonymize the visitor's company name
Anonymize the visitors' or employees' custom fields
Delete the visitor's or employee's photo
Delete the visitor's agreement
Delete the visitor's signature
Anonymizing the visitor or employees data will maintain:
The timestamp of any movement records (which is not personal information)
The host (employee) that was visited (unless also anonymized)
For those subscribed to an Enterprise plan, we offer an auto-anonymize feature. Find out more here.