Is your visitor management GDPR compliant?

Updated: Mar 28

After the news this week that firms in Europe have been collectively fined €273m for GDPR infringement, highlighting the importance of ensuring your visitor management follows strict GDPR regulation. How can we store visitor data safely, but most importantly, easily? In this blog, we will cover:


What is GDPR?


The General Data Protection Regulation effects in May 2018 as the strictest law of its kind in the world. Drafted in the European Union, it relates to any organisation that stores and processes the data of any countries that are in the EU. Even if the country you operate in is not part of the EU.


Read more about GDPR

visitor-management-gdpr

Thanks to the evolution of technology, millions of companies around the globe hold a mass of consumer data. Any personal data of people in the EU such as names, addresses, date of birth, purchases, and bank details must now be stored in a specific way and for a specific time frame.


Why do we need to consider GDPR compliance in visitor management?


The existence of GDPR aims to strengthen individuals' rights while ensuring the free flow of data in the digital market. The regulation amps up the role of several concepts such as visitor consent, deletion period, etc.


Should a company break GDPR, the result can be huge penalties; either €20 million or 4% of global revenue. Can you afford to break GDPR?


The natural process of visitor management


In any organisation, visitor data is commonly collected to deliver a better visitor experience or ensure the building's safety. Organisations collect personal data of people who enter and exit your offices. Whatever the purpose is, the manual process of collecting, managing, erasing the data require techniques and experience which might lead to a single point of failure.

Traditional paper visitor book GDPR compliance


Ensuring Visitor Privacy


No matter how you collect data from visitors, it must be handled, stored and deleted according to GDPR. It's not just data that is collected electronically; visitor sign-in sheets or anything was written down on paper should be included.

If you are using paper sign-in books to collect visitor details during their check-in process, you're putting yourself at a significantly higher risk. Letting your visitor see the previous visitor's information could be breaking the visitor management GDPR.


Data Safety


Ensure your visitor details are stored securely and deleted after a certain time of period.


Compared to companies that use visitor management systems to store data, paper can easily be stolen, photographed or misplaced, failing to comply with GDPR.


Data Purpose Limitation


GDPR stated the purpose limitation of collecting your visitor's details, meaning that you must only collect necessary details. If you are using sign-in sheets, reception staff must ensure relevant documents are provided to different types of visitor, such as contractors, guests, cleaning service, etc.



9 areas to ensure your Visitor Management's GDPR Compliance


In order to stay compliant with visitor management GDPR, Facilities Managers should already have worked with IT to put a visitor management policy in place that handles sensitive data.


However, if you're currently working to improve your reception services, it's worth coming back to this subject to be sure you're always following the data privacy regulation.

visitor-management-gdpr

According to GDPR's core principles, recommendations are given based on GDPR Associates' advice. Here is the step by step checklist to improve your Visitor Management GDPR compliance.

  1. Lawfulness, fairness and transparency

  2. Purpose limitation

  3. Data minimisation

  4. Data accuracy

  5. Storage limitation

  6. Integrity and confidentiality (security)

  7. Accountability

  8. Write a clear visitor management policy

  9. Visitor management system and GDPR compliance


1. Lawfulness, fairness and transparency: Ask for consent

You should collect and use personal data fairly, without breaching any laws. It is important to ask for consent to use and store personal data and be honest about why it's needed and how long it will be kept. In this case, you can

  • Allow your visitors to confirm they have read the privacy policy

  • Allow options for visitors which data can be stored in your visitor management system


2. Purpose limitation: Have a clear purpose of why you collect personal data


You must have a legitimate interest in collecting personal data. Be clear about why you want it and how it will be used. The visitor management GDPR establishes visitors' legal right to know what you plan to do with their information. If you need to know a visitor's full name, address, and other personal information, you must explain why you need it.


For visitor management purposes, the reasons might be:

  • Security purposes - to identify unauthorized visitors or ensure your building's safety.

  • In case of an emergency

  • To report visitor numbers/ visitor types

  • Create a digital log for a faster check-in next time


3. Data minimisation: Only collect personal data you need


This principle of visitor management GDPR relates to collecting adequate relevant and limited visitor data. The amount of data that you're collecting and only collecting what is necessary. For visitor management, you should only ask for the data that you need to fulfil a purpose. For example, taking a mobile number so they can receive text notifications in the event of an emergency.


4. Data Accuracy


Visitor data should remain accurate if data changes. For example, if a visitor has changed their address by the next time they visit, company records should be updated with the new address in a timely manner


To remain your visitor's data accuracy, every time an updated visitor's detail in Outlook will populate Vgreet visitor management system, Your front desk and facilities managers are always fully aware of expected visitors, meeting changes without rekeying in the visitor's details.


5. Storage limitation: Make sure you erase visitor data easily or upon request


You shouldn't keep personal data longer than necessary, and your organisation will already have a policy in place regarding this. There is no hard rule of how long you can keep your visitor data, organisations need to decide the GDPR-compliant process together and decide the retention period and when to delete data accordingly.


For visitor management, you should follow your organisation's policy, with a process in place that erases or anonymises the data once the time period has lapsed. You should make all visitors aware of how long you'll store their data for, as per your company policy.


Instead of manually deleting them, Vgreet enables automatic visit deletion which will automatically delete the visitor data after a specified number of days.


6. Integrity and confidentiality: Make sure your data is encrypted


This principle relates to having effective security measures in place to protect personal data. A risk assessment should be undertaken to find out what risks are presented withheld personal data, and mitigations should be put in place to help reduce the risk. You could also use methods such as encryption to protect data.


7. Accountability: Assign a Data Protection Officer (DPO)

Visitor management GDPR requires that you take responsibility for how data is managed and how you comply with the law. A Data Protection Officer (DPO) is someone who handles personal data, monitoring the level of compliance with the GDPR, and advising on your data protection obligation.

Source, ICO


8. Visitor management policy


The safest way to avoid fines is to have a visitor management policy in place which covers how you collect, handle, store and delete personal data. This should be a collaborative effort, written in conjunction with your Data Protection Officer and IT department.


Read how to write a visitor management policy


Vgreet Digital Visitor Management GDPR Compliant

vgreet-visitor-management-gdpr-compliant

With our partner's above-industry-standard security features, you can expect to see the following with your Vgreet:

  • Data encryption in transit and at rest

  • SAML-based SSO

  • Granular access rights and privileges

  • SCIM-based user provisioning

  • Custom data retention for visitor management GDPR compliance

  • SSL-only API security

  • Domain Keys Identified Email (DKIM)

  • Granted an ISAE 3000 Type I data privacy attestation


Digital visitor management journeys


Visitor management GDPR compliance is only one of the benefits of Vgreet digital visitor management system. Capture all visitors and deliver a digital visitor management journey that is unsurpassed with more visitor management features, including branded invites, maps to guide visitors to the office, pre-registration to comply with health and safety and touchless three-second check-in.


More Resources

  1. The Ultimate Guide - What is a visitor management system and how can it benefit my business?

  2. Download a free visitor management guide for your persona free visitor management guide for your persona

 

Want to improve your GDPR compliance? Contact us.