Is your Visitor Management System GDPR-compliant?

So making sure your fully GDPR-compliant is not a small task. Making sure any visible part of your operations is not exposed to the new data privacy regulation is not easy, so have the thought of your visitor management system?

Do you have an auditor? have they discussed your GDPR compliance? Is your visitor management system compliant?

In short, GDPR stands for General Data Protection Regulation -this is a game-changing regulation adopted by the European Union that that will take affrect in May 2018.

What does this mean for me?

  • It aims to strengthen the rights of individuals regarding the handling and processing of their personal data while ensuring free flow of data in the EU digital single market
  • Builds on the existing legislation, but also amps up the role of several concepts such as consent, deletion period, etc.
  • It also introduces hefty fines of up to 4% of the annual turnover of organizations that fail to comply.
  • It applies to any organization based in the EU but also any organization that processes data of EU customers (data subjects)

 

Let’s Break this down

1) Do you only collect client data that you absolutely need? (data minimization)

The Article 54 of GDPR provides:

“Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

What this means for your VMS:

Any data you collect needs to pass the test of asking yourself whether there is a way to achieve the purpose without collecting the data. Even better, if you can tailor the check-in process to different profiles of visitors, you can ensure that you always only ask for the information you absolutely need.

2) When collecting your visitor data, do you ask their permission (consent) and explain how you will use it?

Para. 32 of the preamble and Article 4 (11) of GDRP:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of (…) agreement to the processing of personal data.”

What this means for your VMS:

You need to be able to demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes. Again, this can be achieved by allowing them to confirm reading the privacy policy, or by offering a toggle switch by which they allow you to store their data on your VMS.

 3) If one of your visitors changes their mind and no longer wants you to keep their data, is this easy to undo?

Article 7 of GDPR:

“The data subject shall have the right to withdraw his or her consent at any time.”

What this means for your VMS:

Your organization needs to allow visitors to say at any point that they no longer want you to store their visit data and revoking consent to store their data should be as easy as giving it. You will find that the GDPR-compliant VMS offers this by way of a toggle that allows visitors to change their mind during their subsequent visits.

4) Do you store visit details for no longer than what is needed?

Article 5 of GDPR:

“Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

What this means for your VMS:

One way to tackle the question of data retention a.k.a. ‘right to be forgotten’ is to allow bulk selection and deletion of visits in the dashboard. A more elegant solution for this is automatic deletion after a specified number of days. Ideally, your VMS will either have this feature or be built to easily integrate it in near future.

5) Did you sign a Data Processing Agreement?

Article 28 of GDPR:

“The controller shall use only processors [vendors] providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.”

What this means for your VMS:

Your VMS provider must provide assurances that they comply with the GDPR stipulations in all applicable aspects detailed in Article 28, as well as the related provisions of articles 32 to 36. In practice, this implies that you have a binding written agreement, also called a Data Processing Agreement (“DPA”) in place, ensuring a strict level of safety and security of the personal data processed on your behalf.

6) Did you appoint a Data Protection Officer?

Article 37 of GDPR:

“The processor and the controller shall designate a data protection officer [in specific circumstances].”

What this means for your VMS:

In case you or your visitor check-in system vendor have as their core activities processing operations which require regular and systematic monitoring of data subjects on a large scale, both you and your service provider/visitor check-in system vendor need to designate a DPO – Data Protection Officer. This is a person that has to carry out the tasks of informing and advising the company and its employees, monitor compliance with GDPR and other related laws, and act as a contact point with the supervisory authority in each Member state.

7) Do you know if your vendor has put in place a data breach notification plan?

Article 33 of GDPR:

“The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”

What this means for your VMS:

A reliable VMS provider will have fast, foolproof and clear notification system in case any of your visitors’ data is accessed unauthorizedly by a third party. As a controller you have limited time to notify the supervisory authority in this event, hence, the processor that is equipped to deal with this is an important part of the puzzle.

 

If you want to know how we can help you with your visitor management system have a look at Visipoint and see how it can help you.

Also, Contact us