The GDPR compliance checklist for your visitor management system

May 02 19:00 2019 Print This Article

GDPR is the game-changing European Union regulation that came into effect in May 2018. Having a GDPR compliance checklist is a great first step for your organization. But your current visitor management system is still exposed to the relatively “new” General Data Protection Regulation.

How confident are you in the way you handle visitor management?

Imagine your auditor arriving to assess your company’s GDPR compliance. If your visitor check-in app is not fully compliant, then they’ll see the red flags immediately.

A summary of GDPR’s key points:

GDPR’s core principles have been laid out in full already, but here are some of more relevant points for your business:

  • It aims to strengthen the rights of individuals around the processing of their personal data, while ensuring the free flow of data in the EU digital market
  • It builds on an existing legislation, but also amps up the role of several concepts such as consent, deletion period, etc.
  • It applies to any organization based in the EU but also non-EU organizations who collect and process personal data of EU citizens aka the “data subjects.”
  • It slaps hefty fines of up to 4% of annual turnover on organizations that fail to comply.

Because of such implications, in May 2018 alone, “GDPR” searches surpassed the Google search volumes of Beyoncé and Kim Kardashian.

In fact, the search volume was just about equal to the other two celebrity searches combined!

True story.

But all jokes aside, the European Commission does report additional findings in their January 2019 report: GDPR in Numbers.

The overwhelming consensus is that preparation is key. So we’ve put together a 6-point checklist as a part of the bigger picture when it comes to GDPR and visitor management.

Here are the questions you need to ask:

1. How do we collect personal data from our visitors?

Both GDPR and visitor management need to be addressed wholly as an organization. As such, it’s important to take a step back and assess how your business plans to collect and manage the personal data of your visitors.

This is because of the real-life nuances of data privacy regulations. GDPR operates under the premise of technology neutrality:

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing…

— GDPR Recital 15, General Data Protection Regulation

This means that the rules applying to digital visitor management systems may also apply to “GDPR and visitor books” you see sitting around on front desks all over the world.

Although it is possible to operate with a “GDPR sign-in sheet,” industry experts have split down the middle as to the efficacy and ease of GDPR-compliance using a pen and paper visitor management system. 

What this means for your visitor management system:

Having a took that allows you to plan for and manage the data collection process reduces the margin of human error, and ensure consistency in the visitor experience. This is especially true for organizations operating in multiple locations must be especially careful. Having a tool that allows you to manage multiple fronts desks from one central interface takes the pain out of planning. 

2. What kind of visitor data can we collect?

This question is specific to data minimization: The act of collecting only personal data needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purpose. 

Article 5, 1(c) of GDPR stipulates:

“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

What this means for your visitor management system:

You can only collect data for required security protocol or to fulfill a business contract, etc. Your visitor management system should allow you to tailor the check-in process according to the types of visitors you welcome. In this way, you’re sure that they’re only asked for the information you absolutely need. 

Read more about how you can minimize data with Proxyclick.

3. How long can we store “visit details?”

This is also directly related to GDPR’s principle of data minimization:

“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Really, it’s in three parts:

  1. You should only be collecting data for specific purposes.
  2. You should only be holding onto the data for a limited period of time.
  3. There should be provisions for the “right to be forgotten.”

The 3rd point is laid out clearly in Article 7(3) of GDPR:

“The data subject shall have the right to withdraw his or her consent at any time.”

There is no hard and fast rule as to what your retention period must be. As we’ve mentioned before, GDPR-compliant visitor management is a process that your organization must decide on together.

However, your visit details should fulfill the business requirements they were collected for in the first place. Define the retention period that applies to your context and then delete data accordingly.

What this means for your visitor management system:

One way to tackle the question of data retention and the ‘right to be forgotten’ is to be able to manually delete visits in your dashboard. Ideally, your visitor management system allows for this to be automated so you can specify the number of days for data retention. For organizations with multiple locations, Proxyclick also allows for location-specific settings for local flexibility in automatic visit deletion.

4. Do we always have to ask for consent when collecting visitor data? 

This question relates to GDPR’s stance on legitimate interests: Legitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed. 

Long story short, consent is required for collecting visitor data (or data subjects at large).

However, there is an exception: You do not have to ask for consent in every single situation. The mechanism of so-called legitimate interests dictates that you have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company.  

What this means for your visitor management system:

Your visitor management solution should let you distinguish between a visitor profile versus visitor data implementation (data necessary to fulfill the interests of the company with more ephemeral data). In the case of an audit, you’ll need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes (outside of the exceptions mentioned above). This can be achieved in two ways:

  1. by allowing your visitors to confirm that they’ve read the privacy policy, or
  2. by offering a toggle switch by which they consent to you storing their data in your visitor management system

Check out our free template containing a sample clause for consent (translations included in 22 languages)

5. Do we need to sign a Data Processing Agreement with our visitor management provider?


In plain English, your company is considered the “Data Controller” and by law,  responsible for determining the purposes and means for processing of personal data.

This article was originally posted here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment