Have you taken steps to ensure your visitor management is GDPR-compliant?
With GDPR being the corporate topic of 2018, I am almost certain that you have read at least quite a few of the constant articles/posts explaining the key fundamental elements of the legislation. If not, here's a quick and summarised explanation below:
With the latest EU General Data Protection Regulations (GDPR) being introduced from 25th May 2018, it is the most important change to data privacy regulation in 20 years, all organisations must start preparing to comply with its vast requirements because it will be the law. GDPR places greater emphasis on the documentation that data controllers must keep demonstrating their information accountability, it increases the privacy and data usage rights for individuals and provides the regulatory authorities greater powers to act against businesses that breach the new data protection laws.
Now, instead of going through the many factors and features of GDPR, I wanted to focus this article on the reasons why your paper visitor book is a threat to being compliant.
So, why is my traditional paper visitor book non-compliant?
Firstly does your paper visitor book provide 'Opt-In' consent and terms when collecting visitor data? Do you explain how you will use the data collected in the book?
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication.”
Article 4 (11) of GDPR
GDPR requires you to record that your onsite visitors have agreed to their personal data to be actioned for specific functions, this could even be for tasks such as health, safety and evacuation purposes. Many organisation are mistaking GDPR being related to marketing operations only, but this incorrect, it covers all personal data, used for all activities.
The front screen of the app clearly displays the privacy statement and all data is ‘Opt-in’ consent driven with only visitor name being mandatory for the purposes of building risk assessment.
If a visitor wants you to delete and remove their information, how would you do this with your paper visitor book?
One of the keys aspects of GDPR is the 'Right to erasure' more commonly known as the 'Right to be forgotten'.
Now how would you do this currently with your paper visitor book? Rip out the page? Cross out the information? I'm sure you will agree that ripping out pages of a visitor book is not a process you would want to incorporate into your organisation.
“The data subject shall have the right to withdraw his or her consent at any time.”
Article 7 of GDPR
From the e-Reception Book's real-time dashboard you can permanently remove individual visitor records simply, quickly and without delay.
Delay being the keyword:
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay".
Does your paper visitor book store personal details for longer than what is needed?
How long do you keep your paper books for? What do you do once the book is finished? Store it in an office drawer?
“Data must be kept for no longer than is necessary for the purposes for which the personal data are processed.”
With the e-Reception Book you can determine the length of data to be retained via the dashboard.
Is personal data secure and private?
Is your visitor book publicly on show? Can anyone go through the book? If someone steals the book, is that data breached? Is your book secure from theft?
Why these question? GDPR imposes stricter obligations with regard to data security and data confidentiality:
"Implement appropriate technical and organisational measures"
"The encryption of personal data.
"The ability to ensure the ongoing confidentiality"
Am I guessing correctly your visitor book is not currently secure and very much on public show?
Visitor books contain personal data and if this information goes missing, you will be dealing with a data breach (which can be particularly costly in terms of fines). GDPR requires you to secure and protect personal information and visitor books are one big list of personal information that could be abused.
"The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident".
If your visitor book goes missing are you able to restore the data?
The e-Reception Book does not store data on the iPad, so if the device does go missing, a data breach will not be a concern. Our solution does not display a list of visitor names or employee names, therefore keeping all details private and confidential. As all data is securely stored on the online dashboard (SSL certified and operates HTTPS), the information is kept secure and accessible only to your authorised staff.
With GDPR coming into force it's imperative that you start reviewing all your processes that obtain and process personal data. We strongly recommend undertaking a Privacy Impact Assessment (PIA). PIA's are not limited to new technologies but should be conducted for any activity that may involve the collection/processing of personal data. I will be writing a PIA related article next week as I believe it's the best method to analyse if a solution/process is compliant with GDPR legislation.
e-Reception Book - GDPR Compliant:
- Clearly displays privacy statements and terms.
- All data captured is ‘Opt-in’ consent driven.
- Secures personal data, keeping visitor details confidential.
- Includes features that support GDPR's 'Right to be forgotten'.
- The ability for the visitor to sign privacy statements.
The e-Reception Book provides a modern impression to all of your visitors and starts from as little as £1 per day (+VAT). As used by some of the UK's largest serviced office groups and organisations across the UK.
Please get in touch if you would like to know more about the e-Reception Book solution.
Laurence Bohmer - Digital Marketing Manager