If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
GDPR is the game-changing European Union regulation that came into effect in May 2018. Having a GDPR compliance checklist is a great first step for your organization. But your current visitor management system is still exposed to the relatively “new” General Data Protection Regulation.
How confident are you in the way you handle visitor management?
Imagine your auditor arriving to assess your company’s GDPR compliance. If your visitor check-in app is not fully compliant, then they’ll see the red flags immediately.
GDPR’s core principles have been laid out in full already, but here are some of more relevant points for your business:
Because of such implications, in May 2018 alone, “GDPR” searches surpassed the Google search volumes of Beyoncé and Kim Kardashian.
In fact, the search volume was just about equal to the other two celebrity searches combined!
But all jokes aside, the European Commission does report additional findings in their January 2019 report: GDPR in Numbers.
The overwhelming consensus is that preparation is key. So we’ve put together a 6-point checklist as a part of the bigger picture when it comes to GDPR and visitor management.
Here are the questions you need to ask:
Both GDPR and visitor management need to be addressed wholly as an organization. As such, it’s important to take a step back and assess how your business plans to collect and manage the personal data of your visitors.
This is because of the real-life nuances of data privacy regulations. GDPR operates under the premise of technology neutrality:
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing…— GDPR Recital 15, General Data Protection Regulation
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing…
— GDPR Recital 15, General Data Protection Regulation
This means that the rules applying to digital visitor management systems may also apply to “GDPR and visitor books” you see sitting around on front desks all over the world.
Although it is possible to operate with a “GDPR sign-in sheet,” industry experts have split down the middle as to the efficacy and ease of GDPR-compliance using a pen and paper visitor management system.
Having a took that allows you to plan for and manage the data collection process reduces the margin of human error, and ensure consistency in the visitor experience. This is especially true for organizations operating in multiple locations must be especially careful. Having a tool that allows you to manage multiple fronts desks from one central interface takes the pain out of planning.
This question is specific to data minimization: The act of collecting only personal data needed to achieve its intended purpose. Furthermore, such data should only be retained for as long as it serves said purpose.
Article 5, 1(c) of GDPR stipulates:
“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
You can only collect data for required security protocol or to fulfill a business contract, etc. Your visitor management system should allow you to tailor the check-in process according to the types of visitors you welcome. In this way, you’re sure that they’re only asked for the information you absolutely need.
Read more about how you can minimize data with Proxyclick.
This is also directly related to GDPR’s principle of data minimization:
“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Really, it’s in three parts:
The 3rd point is laid out clearly in Article 7(3) of GDPR:
“The data subject shall have the right to withdraw his or her consent at any time.”
There is no hard and fast rule as to what your retention period must be. As we’ve mentioned before, GDPR-compliant visitor management is a process that your organization must decide on together.
However, your visit details should fulfill the business requirements they were collected for in the first place. Define the retention period that applies to your context and then delete data accordingly.
One way to tackle the question of data retention and the ‘right to be forgotten’ is to be able to manually delete visits in your dashboard. Ideally, your visitor management system allows for this to be automated so you can specify the number of days for data retention. For organizations with multiple locations, Proxyclick also allows for location-specific settings for local flexibility in automatic visit deletion.
This question relates to GDPR’s stance on legitimate interests: Legitimate interests can only be used as a legal basis for processing when they don’t override the interests or fundamental rights and freedoms of the individual whose personal data is processed.
Long story short, consent is required for collecting visitor data (or data subjects at large).
However, there is an exception: You do not have to ask for consent in every single situation. The mechanism of so-called legitimate interests dictates that you have a legal basis or grounds for processing personal data if not doing so would mean defaulting on a contractual necessity or jeopardizing legitimate interests of the company.
Your visitor management solution should let you distinguish between a visitor profile versus visitor data implementation (data necessary to fulfill the interests of the company with more ephemeral data). In the case of an audit, you’ll need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes (outside of the exceptions mentioned above). This can be achieved in two ways:
Check out our free template containing a sample clause for consent (translations included in 22 languages)
In plain English, your company is considered the “Data Controller” and by law, responsible for determining the purposes and means for processing of personal data.
This article was originally posted here: https://www.proxyclick.com/blog/gdpr-compliance-checklist-visitor-management-system