Introduction
GDPR (General Data Protection Regulation) is a new EU law that comes into effect in May 2018. The law is being brought in to attempt to protect EU residents’ personal data and rights to privacy. GDPR must be complied with whenever and wherever the collection or processing of an EU citizen’s data takes place. It is also necessary to ensure individuals are able to exercise the new rights they will have under GDPR.
We have put together this document to help you prepare your visitor management processes for GDPR compliance.
Before we begin, a very important note...
Welcm is not a law firm. This document is to provide general information only. It is not intended to be legal advice and should not be treated as such nor is it intended to address your specific requirements. The information is not a complete and comprehensive statement of the law. Organisations should seek independent legal advice regarding data protection, the law and their specific requirements.
GDPR: Is my company affected?
GDPR affects any company that collects or uses the data of EU residents. What that means is that your company does not need to be in the EU for GDPR to affect it. You company will be affected if:
- It is an EU company
- It is a non-EU company that either:
- offers goods and / or services to EU residents
- monitors EU residents’ behaviour
Understanding the basic GDPR terms
- “Data subjects” (your visitors): These are EU residents who have visited your organisation
- “Data controllers” (your organisation): Organisations that collect visitor information for visitor management purposes
- “Data processors” (your visitor management system (VMS)): Software providers that handle visitor information on behalf of your organisation
Which GDPR requirements affect visitor management?
- Legitimate interest: You must have a specified, explicit and legitimate reason for collecting visitor information
- Consent (for sensitive data): As an organisation you have a legitimate interest to hold visitor data. You only need to ask for consent to do so if you ask for sensitive data. This can include things like disability information and cultural information.
- Transparency: You need to disclose information required under GDPR (e.g. how visitors can ask you to delete or correct data you hold on them).
- The “Right to be forgotten”: You need to comply with a visitor’s wish to delete their data from all systems where you store it. You will need to comply within one month of the request.
- The right to access and rectify data: You need to comply with a visitor’s wish to access their data from all systems where you store . You will need to comply within one month of the request.
- Accountability: You must ensure you have processes to properly inform visitors. You are responsible for ensuring your partner organisations comply with GDPR.
What should my organisation do now?
Map your visitor data:
Senior leaders and your Data Protection Officer (if your organisation is obliged to appoint one) should complete a data audit. During the audit the following questions should be answered:
- How do we collect visitor’s personal data?
- What data do we collect?
- How much of the data we collect do we actually use?
- How do we use the personal data in our operations?
- Where do we store visitor data?
- Who can access visitor data?
- How does data flow within our organisation across processes / functions / departments?
- What are our processes for sharing, transferring, modifying and deleting data?
Create a privacy policy specifically for visitors:
Creating a visitor specific privacy policy will allow you to keep the information contained in the policy transparent, clear and concise. You should make sure you include:
- Name / contact details of your organisation and Data Protection Officer if you have one
- An explanation of your legitimate interest along with a statement that data is used for visitor management purposes only
- The types of information about visitors that reside in your company files
- Who you will share the data with
- Where and how you collected the visitor data
- Where the processing is based and where the data is stored
- How long your organisation will store visitor data
- The visitor’s rights
- Instructions for how visitors can exercise their rights regarding the data you hold
- How you protect the visitor data
Modify your visitor management practices to comply with GDPR:
Do you currently use a paper sign in book?
Visitor details are visible to other visitors simply by scanning the book. This is obviously a significant problem with the introduction of GDPR as it is very hard to guarantee the privacy of visitor data if you use a paper sign in book.
If your organisation uses a paper visitor sign in book, data duplication can also be a problem as visitor details can also be added into CRM’s, onto spreadsheets and a multitude of other systems. This will make it a difficult and laborious process to ensure visitor data can be deleted on request.
With these significant risks and time consuming administrative practices paper sign in books should be a serious concern and using alternative visitor management practices would be highly recommended.
Set a fixed period for storing visitor data
Storing visitor data is, in many cases, essential however storing the data indefinitely is usually not required and could put your organisation at risk of failing to comply with GDPR.
Once you have mapped your visitor data you should know how long you need to keep the data for. Once you have ascertained this time frame you should put into practice processes that ensure visitor data is completely removed from all your systems after the requisite time has passed.
Depending on your method for collecting and storing visitor data your method for deleting the data will vary. For example, Welcm customers are able to set this period and their Welcm visitor management system will automatically hard delete data on their behalf removing any risk of holding data longer than is stated and reducing the administrative load on employees.
Be transparent about storing visitor data
You should make sure your visitor data policy is easily accessible to visitors and make sure it is fit for purpose. You should also consider emailing visitors once you have collected their data.
There are of course numerous ways you can achieve this level of transparency. You should talk to your visitor management system provider to discuss what they can do to help you.
Welcm allows you to automatically email visitors a link to your visitor data policy when they sign in. Using the customisable visitor sign in flows you can also display the visitor data policy as part of the sign in process.
Review existing visitor data
Go through every visitor in the places you store visitor data currently. If you no longer need a visitor’s data, delete it. If you still have a legitimate reason for storing their data you should contact them to explain you are processing their data. It would be advisable to send your visitor data policy to them too.
Ensure your software vendors (e.g. VMS) are compliant
First you need to address two questions:
- Are your data processors in the EU?
- If they are then they must comply with GDPR by default
- Are your data processors outside the EU?
- If they handle personal data of EU residents on your behalf then they must comply with GDPR so it is important to ensure they do
You can review your vendors’ data policies to ensure they are compliant with GDPR. If your vendors are based outside the EU and you are unsure as to their default level of compliance you can ask them to sign data processing agreements. The agreements should oblige them to process visitor data according to GDPR requirements.
Ask your software providers:
- What they have done to comply with GDPR
- How they ensure their data processors are GDPR compliant
- What tools they offer to help your company remain GDPR compliant
- Whether they have clear privacy policies and where you can review them
Update your processes to grant visitor requests
There are a number of processes you need to consider here, namely:
- Letting visitors access their personal data upon request
- Deleting and / or rectifying visitor data
- Letting visitors withdraw their consent for your organisation to hold their data
Once these process are in place you should communicate them on your website or in your terms and conditions.