Is your visitor management GDPR compliant?

Updated: Feb 15

After the news this week that firms in Europe have been collectively fined €273m for GDPR infringement. I thought it was a great time to highlight just how important it is to ensure that your visitor management solution follows strict GDPR regulation with our visitor management GDPR checklist.

What is GDPR?

The General Data Protection Regulation effects in May 2018 as the strictest law of its kind in the world. Drafted in the European Union, it relates to any organisation that stores and processes the data of any countries that are in the EU. Even if the country you operate in is not part of the EU.

Read more about GDPR.

Thanks to the evolution of technology, millions of companies around the globe hold a mass of consumer data. Any personal data of people in the EU such as names, addresses, date of birth, purchases, and bank details must now be stored in a specific way and for a specific time frame.

Why do we need to consider GDPR compliance in visitor mangement?

The existence of GDPR aims to strengthen individual's rights while ensuring the free flow of data in the digital market. The regulation amps up the role of several concepts such as visitor consent, deletion period, etc.

Should a company break GDPR, the result can be huge penalties; either €20 million or 4% of global revenue. Can you afford to break GDPR?

The natural process of visitor management

In any organisations, visitor's data is commonly collected to deliver a better visitor experience or ensure building's safety. Organisations collect personal data of people who enter and exit your offices. Whatever the purpose is, the manual process of collecting, managing, erasing the data require techniques and experience which might lead to single point of failure.

Traditional paper visitor book GDPR compliance

Ensuring Visitor Privacy

No matter how you collect data from visitors, it must be handled, stored and deleted according to GDPR. It's not just data that is collected electronically; visitor sign-in sheets or anything was written down on paper should be included.

If you are using paper sign-in books to collect visitor details during their check-in process, you're putting yourself at a significantly higher risk. Letting your visitor see the previous visitor's information could be breaking the visitor management GDPR.

Data Safety

Ensure your visitor details are stored securely and deleted after a certain time of period.

Compared to companies that use visitor management systems to store data, paper can easily be stolen, photographed or misplaced, failing to comply GDPR.

Data Purpose Limitation

GDPR stated the purpose limitation of collecting your visitor's details, meaning that you must only collect necessary details. If you are using sign in sheets, reception staff must ensure relevant documents are provided to different types of visitor, such as contractors, guests, cleaning service, etc.

How to ensure your Visitor Management's GDPR Compliance?

In order to stay compliant with visitor management GDPR, Facilities Managers should already have worked with IT to put a visitor management policy in place that handles sensitive data.

However, if you're currently working to reengineer your front of house or visitor management solution, it's worth coming back to this subject to be sure you're always following the data privacy regulation.

According to GDPR's core principles, recommendations are given based on GDPR Associates's advice. Here is the step by step checklist to improve your Visitor Management GDPR compliance.

  1. Lawfulness, fairness and transparency

  2. Purpose limitation

  3. Data minimisation

  4. Data Accuracy

  5. Storage limitation

  6. Integrity and confidentiality (security)

  7. Accountability

  8. Write a clear visitor management policy

  9. Vgreet digital visitor management GDPR Compliance

1. Lawfulness, fairness and transparency: Ask for consent

You should collect and use personal data fairly, without breaching any laws. It is important to ask for consent to use and store personal data, and be honest about why it's needed and how long it will be kept. In this case, you can

  • Allow your visitors to confirm they have read the privacy policy

  • Allow options for visitors which data can be stored in your visitor management system

2. Purpose limitation: Have a clear purpose of why you collect personal data

You must have a legitimate interest in collecting personal data. Be clear about why you want it and how it will be used. The visitor management GDPR establishes visitor's legal right to know what you plan to do with their information. If you need to know a visitor's full name, address, and other personal information, you must explain why you need it.

For visitor managmenet purposes, the reasons might be:

  • Security purposes - to identify unauthorized visitors or ensure your building's safety.

  • In case of an emergency

  • To report visitor numbers/ visitor types

  • Create digital log for a faster check in next time

3. Data minimisation: Only collect personal data you need

This principle of visitor management GDPR relates to collecting adequate relevant and limited visitor data. The amount of data that you're collecting and only collecting what is necessary. For visitor management, you should only ask for the data that you need to fulfil a purpose. For example, taking a mobile number so they can receive text notifications in the event of an emergency.

4. Data Accuracy

Visitor data should remain accurate if data changes. For example, if a visitor has changed their address by the next time they visit, company records should be updated with the new address in a timely manner

To remain your visitor's data accuracy, every time an updated visitor's detail in Outlook will populate Vgreet visitor management system, Your front desk and facilities managers are always fully aware of expected visitors, meeting changes without rekeying in the visitors details.

5. Storage limitation: Make sure you erase visitor data easily or upon request

You shouldn't keep personal data longer than necessary, and your organisation will already have a policy in place regarding this. There is no hard rule of how long you can keep your visitor data, organisations need to decide the GDPR-compliant process together and decide the retention period and when delete data accordingly.

For visitor management, you should follow your organisation's policy, with a process in place that erases or anonymises the data once the time period has lapsed. You should make all visitors aware of how long you'll store their data for, as per your company policy.

Instead of manually deleting them, Vgreet comes fully loaded with Proxyclick which enables automatic visit deletion. Vgreet visitor management systems can automatically delete the data after specified number of days.

6. Integrity and confidentiality: Make sure your data is encrypted

This principle relates to having effective security measures in place to protect personal data. A risk assessment should be undertaken to find out what risks are presented withholding personal data, and mitigations should be put in place to help reduce the risk. You could also use methods such as encryption to protect data.

7. Accountability: Assign a Data Protection Officer (DPO)

Visitor management GDPR requires that you take responsibility for how data is managed and how you comply with the law. A Data Protection Officer (DPO) is someone who handles personal data, monitoring the level of compliance with the GDPR, and advising on your data protection obligation.

Source, ICO.

8. Visitor management policy

The safest way to avoid fines is to have a visitor management policy in place which covers how you collect, handle, store and delete personal data. This should be a collaborative effort, written in conjunction with your Data Protection Officer and IT department.

Read how to write a visitor management policy

Vgreet Digital Visitor Management GDPR Compliant

Our friends at Proxyclick take data protection very seriously and it's one of the many reasons that we're partnered with them. With Proxyclick's above-industry-standard security features, you can expect to see the following with your Vgreet:

  • Data encryption in transit and at rest

  • SAML-based SSO

  • Granular access rights and privileges

  • SCIM-based user provisioning

  • Custom data retention for visitor management GDPR compliance

  • SSL-only API security

  • Domain Keys Identified Email (DKIM)

  • Granted an ISAE 3000 Type I data privacy attestation

In addition, because Proxyclick hosts in Europe, customers can be assured that their own data is stored, handled and anonymised in accordance with visitor management GDPR.

Read Proxyclick's guide to visitor management GDPR.

Instant compliance

Another of our partners, Condeco, enables integration with Outlook and other Room Desk and workplace management tools. Condeco syncs with Office365, meaning visitor emails are created in existing Outlook meeting invites with no change to Microsoft workflows. These details populate the visitor management module in Vgreet. This removes any re-keying manual process allowing you to send branded invites to your visitors.

Read more about the Condeco and Microsoft ecosystem.

Digital visitor management journeys

Visitor management GDPR compliance is only one of the benefits of Vgreet visitor management system. Capture all visitors and deliver a digital visitor management journey that is unsurpassed with more visitor management features, including branded invites, maps to guide visitors to the office, pre-registration to comply with health and safety and touchless three-second check-in.

Read our complete guide of Visitor Management

Learn more about visitor management techniques

Read case study of Vodafone managing visitor with GDPR compliance

Not sure if your visitor management's GDPR compliant? Contact us.

  • Twitter
  • LinkedIn
  • YouTube

Tel: +44 (0)20 7621 6300

Address: Chester House, Unit 2:02, 1-3 Brixton Rd, London SW9 6DE

© Vpod Solutions 2020. All rights reserved.