Updated: Mar 28
After the news this week that firms in Europe have been collectively fined €273m for GDPR infringement, highlighting the importance of ensuring your visitor management follows strict GDPR regulation. How can we store visitor data safely, but most importantly, easily? In this blog, we will cover:
What is GDPR?
The General Data Protection Regulation effects in May 2018 as the strictest law of its kind in the world. Drafted in the European Union, it relates to any organisation that stores and processes the data of any countries that are in the EU. Even if the country you operate in is not part of the EU.
Thanks to the evolution of technology, millions of companies around the globe hold a mass of consumer data. Any personal data of people in the EU such as names, addresses, date of birth, purchases, and bank details must now be stored in a specific way and for a specific time frame.
Why do we need to consider GDPR compliance in visitor management?
The existence of GDPR aims to strengthen individuals' rights while ensuring the free flow of data in the digital market. The regulation amps up the role of several concepts such as visitor consent, deletion period, etc.
Should a company break GDPR, the result can be huge penalties; either €20 million or 4% of global revenue. Can you afford to break GDPR?
The natural process of visitor management
In any organisation, visitor data is commonly collected to deliver a better visitor experience or ensure the building's safety. Organisations collect personal data of people who enter and exit your offices. Whatever the purpose is, the manual process of collecting, managing, erasing the data require techniques and experience which might lead to a single point of failure.
Traditional paper visitor book GDPR compliance
Ensuring Visitor Privacy
No matter how you collect data from visitors, it must be handled, stored and deleted according to GDPR. It's not just data that is collected electronically; visitor sign-in sheets or anything was written down on paper should be included.
If you are using paper sign-in books to collect visitor details during their check-in process, you're putting yourself at a significantly higher risk. Letting your visitor see the previous visitor's information could be breaking the visitor management GDPR.
Ensure your visitor details are stored securely and deleted after a certain time of period.
Compared to companies that use visitor management systems to store data, paper can easily be stolen, photographed or misplaced, failing to comply with GDPR.
Data Purpose Limitation
GDPR stated the purpose limitation of collecting your visitor's details, meaning that you must only collect necessary details. If you are using sign-in sheets, reception staff must ensure relevant documents are provided to different types of visitor, such as contractors, guests, cleaning service, etc.
9 areas to ensure your Visitor Management's GDPR Compliance
In order to stay compliant with visitor management GDPR, Facilities Managers should already have worked with IT to put a visitor management policy in place that handles sensitive data.
However, if you're currently working to improve your reception services, it's worth coming back to this subject to be sure you're always following the data privacy regulation.
1. Lawfulness, fairness and transparency: Ask for consent
You should collect and use personal data fairly, without breaching any laws. It is important to ask for consent to use and store personal data and be honest about why it's needed and how long it will be kept. In this case, you can
Allow options for visitors which data can be stored in your visitor management system
2. Purpose limitation: Have a clear purpose of why you collect personal data
You must have a legitimate interest in collecting personal data. Be clear about why you want it and how it will be used. The visitor management GDPR establishes visitors' legal right to know what you plan to do with their information. If you need to know a visitor's full name, address, and other personal information, you must explain why you need it.
For visitor management purposes, the reasons might be:
Security purposes - to identify unauthorized visitors or ensure your building's safety.
In case of an emergency
To report visitor numbers/ visitor types
Create a digital log for a faster check-in next time
3. Data minimisation: Only collect personal data you need
This principle of visitor management GDPR relates to collecting adequate relevant and limited visitor data. The amount of data that you're collecting and only collecting what is necessary. For visitor management, you should only ask for the data that you need to fulfil a purpose. For example, taking a mobile number so they can receive text notifications in the event of an emergency.
4. Data Accuracy
Visitor data should remain accurate if data changes. For example, if a visitor has changed their address by the next time they visit, company records should be updated with the new address in a timely manner
To remain your visitor's data accuracy, every time an updated visitor's detail in Outlook will populate Vgreet visitor management system, Your front desk and facilities managers are always fully aware of expected visitors, meeting changes without rekeying in the visitor's details.
5. Storage limitation: Make sure you erase visitor data easily or upon request
You shouldn't keep personal data longer than necessary, and your organisation will already have a policy in place regarding this. There is no hard rule of how long you can keep your visitor data, organisations need to decide the GDPR-compliant process together and decide the retention period and when to delete data accordingly.
For visitor management, you should follow your organisation's policy, with a process in place that erases or anonymises the data once the time period has lapsed. You should make all visitors aware of how long you'll store their data for, as per your company policy.
Instead of manually deleting them, Vgreet enables automatic visit deletion which will automatically delete the visitor data after a specified number of days.
6. Integrity and confidentiality: Make sure your data is encrypted
This principle relates to having effective security measures in place to protect personal data. A risk assessment should be undertaken to find out what risks are presented withheld personal data, and mitigations should be put in place to help reduce the risk. You could also use methods such as encryption to protect data.
7. Accountability: Assign a Data Protection Officer (DPO)
Visitor management GDPR requires that you take responsibility for how data is managed and how you comply with the law. A Data Protection Officer (DPO) is someone who handles personal data, monitoring the level of compliance with the GDPR, and advising on your data protection obligation.
8. Visitor management policy
The safest way to avoid fines is to have a visitor management policy in place which covers how you collect, handle, store and delete personal data. This should be a collaborative effort, written in conjunction with your Data Protection Officer and IT department.
Vgreet Digital Visitor Management GDPR Compliant
With our partner's above-industry-standard security features, you can expect to see the following with your Vgreet:
Data encryption in transit and at rest
Granular access rights and privileges
SCIM-based user provisioning
Custom data retention for visitor management GDPR compliance
SSL-only API security
Domain Keys Identified Email (DKIM)
Granted an ISAE 3000 Type I data privacy attestation
Digital visitor management journeys
Visitor management GDPR compliance is only one of the benefits of Vgreet digital visitor management system. Capture all visitors and deliver a digital visitor management journey that is unsurpassed with more visitor management features, including branded invites, maps to guide visitors to the office, pre-registration to comply with health and safety and touchless three-second check-in.