The European Union's General Data Protection Regulation (GDPR) is just around the corner. In recent months the GDPR has taken over the headlines, and rumours have turned into full-on rumblings. Companies are getting increasingly nervous as the new regulations go into effect in May and non-compliance will face heavy GDPR fines.
The GDPR significantly expands the privacy rights granted to individuals, impacting many longstanding business processes. Organizations are now scrambling to review what personal data they are holding and for what purpose. Most companies think of employee and customer data first, yet seem to overlook an important area: visitor management.
What does GDPR mean for visitor management?
Visitor management is focused on understanding who enters your locations. For decades, companies have been capturing personal information at the front door to increase security and respond to audit requirements. While some organizations have gone digital, many are still using an old-fashioned paper logbook to keep a record of their guests.
The new comprehensive data law is designed to protect an individual's privacy and transform how organizations manage data. Personal information includes anything that can be used to identify a person, such as name, photo, email address; many of which are captured as part of the check-in process in offices and events.
Simply put, visitor data is personal data. Companies are responsible for managing visitor data in line with the new regulation, which will require some drastic changes to processes and tools.
Why is the paper lobby book not able to support the GDPR requirements?
The paper logbook has been a simple solution to sign people in at offices and events. It has been used for decades and continues to be common practice. So why change?
Aside from the fact that pen and paper are inefficient and look outdated, it presents significant risks for data security. Think about it, anyone signing in can see the personal information of others. The data is lying around on a front desk and cannot be easily modified, deleted or referred to. In case of a breach, would you be able to immediately report the incident and notify the affected individuals?
A paper log book does not provide the flexibility required to comply with the forthcoming data protection law. Organizations need to be able to customize what data is captured, how it is processed and when it gets deleted. The GDPR demands control and kills the paper log book.
So, what does the new data privacy law require?
The GDPR builds on the principles of fairness, data minimization, security, and accountability. Individuals (data subjects) in the EU are granted greater privacy rights that will impact how companies process personal data.
Let's take a look at the rights that are given to individuals in the EU and consider whether your organization is able to meet these requirements with its current systems and processes:
- Data access: an individual can request access to information including what data has been processed, the purposes of the processing, and the other parties the data has been shared with. Are you able to provide this information if you were asked today?
- Data correction: if an individual thinks the information is incomplete or inaccurate, are you able to modify data?
- Restriction of processing: can you limit the processing to a specific purpose or party based on an individual's request?
- Data portability: an individual can request a copy of their personal data to transfer it for a different purpose. Would you be able to respond to this request?
- Right to be forgotten: can you erase data if the data subject revokes consent and requests deletion?
- Right to object: the individual can deny data processing, especially if the purpose is related to marketing. Can you limit data processing for a specific purpose?
Understandably these rights put organizations under great pressure. Organizations will be held accountable when processing personal data and the unified law will ensure greater consistency and enforcement worldwide.
How can a visitor management system help?
A visitor management platform can address these data management requirements. Companies can take control and customize what data is captured, how it is processed and better react to an individual's request for changes or deletion.
The features of a customizable cloud-based visitor management platform enable organizations to operate in accordance with the GDPR with the following:
- Transparency and consent: you can clearly communicate to the visitor what and why data is captured by adding notifications during the sign-in process and customize the confirmation emails.
- Data collection: you can comply with the principle of data minimization by controlling what personal data is collected and customizing the sign-in flow. You can determine mandatory fields, capture consent, or skip questions for a specific type of visitor.
- Data processing: you can prevent unauthorized access to data with customizable user roles and increase control over who can view, modify, export, or delete personal data within an organization, in response to an individual's request.
- Data requests and transfers: you can support an individual’s rights to access and portability with the consolidated repository. The search functionality in the digital logbook provides the opportunity to access and export data for transfers if requested.
- Data deletion: you can delete visitor data to support a data subject’s “right to be forgotten”.
- Notification: with a consolidated view, you are able to respond quickly in case of an incident or data breach to immediately notify individuals if personal data has been compromised.
Find out more about how a visitor management platform helps you be compliant with the GDPR and other regulations.
We don't operate in the EU. Why should I care?
A common misperception is that the GDPR only applies to companies operating in Europe. The truth is that the GDPR has a much wider territorial scope. It applies to all companies processing and holding personal data of individuals residing in the European Union, regardless of the organization’s location. Now think again. Are you sure you do not hold or process personal data of anyone within the borders of the EU at a given point in time? Does your database include any European customers, employees or prospects? In that case, you should care.
Choosing where to store your data
Data residency is an important consideration for many organizations. Having control over where to store and process data is a legal requirement for certain industries. In light of increasing data protection requirements, Sign In Enterprise has added local data centers in the US, UK and Canada to offer greater flexibility in data residency to organizations worldwide.
Still unsure? Watch this short overview video by the WSJ on what the GDPR is and how it affects organizations worldwide:
The EU is sending a clear message that it is taking a strong stance on data protection. The GDPR is approaching at a rapid pace, pushing companies to get their ducks in a row. We urge you to review what data you process across your company and take action to meet the data protection requirements. At Sign In Enterprise, data security is a priority. We value our customers' trust and will ensure their visitor data is protected. Contact us to find out more about GDPR and visitor management.