GDPR (General Data Protection Regulation) is the most important change in data privacy regulation in the EU since 1995. The new changes have a huge impact on businesses that gather and process personal data, like visitor management system. Therefore, you are legally obliged to ensure that your visitor management system is GDPR compliant.
The new regulation primarily affects all the businesses across the globe which provide goods and services in the EU, irrespective of where the data are being stored and processed. The penalties for non-compliance are up to €10 million, or 2% annual global turnover – whichever is higher.
What does GDPR compliance mean?
GDPR is a step towards protecting personal data and privacy of users. Users need to know how and why organisations are using their personal data.
In this article, we are going to break down the core aspects of GDPR, however, we suggest you do a further reading for a more detailed understanding (2018 reform of EU data protection rules).
What are GDPR requirements for visitor management systems?
The fundamentals of GDPR which are relevant for visitor management systems are:
- Request your visitor’s consent in order to gather their personal data,
- Be transparent about how and why the visitor’s personal data is processed,
- Visitor’s data cannot be used for the purpose other than for which it was collected.
- Visitors have a complete right to request for their data to be deleted,
- Guarantee the security of personal data against external threats.
The above 5 points are the core principles of GDPR which apply to visitor management systems. If you are in the process of selecting a new visitor management system or already have one in place, you need to ensure that your system complies with all the above principles.
What is the GDPR compliance checklist for visitor management system(VMS)?
The official GDPR documents have detailed explanations around various laws and their implications. But for the purpose of brevity, we will only explore the key items in the GDPR compliance checklist that are relevant for your visitor management system.
Visitor Consent
The most important aspect of GDPR is that you should not collect visitor’s data without their consent. Therefore, a visitor management system should have a feature which allows users to go through the privacy policy contract and opt-in process before they submit their personal data.
What to except in VMS?
The visitor management systems should display a mandatory check-box before visitors can submit their personal data. They can also use digital contract documents where visitors can sign before submitting their details.
Transparency
You need to provide detailed reasons why you are collecting visitor’s personal data and how you are planning to process and use them. This transparency is important to gain the trust of visitors and also to make them aware of how their data are being used.
What to except in VMS?
The interface of the visitor management systems should be customisable to communicate important information with your visitors during sign in. The system also should be able to display and send additional documents via email for later consumption.
Defined Purpose
You should not overwhelm visitors by asking too much personal information. This creates a poor experience and also violates the GDPR principles. You are required to collect only minimum personal data that are useful for your business, and nothing more.
What to except in VMS?
For instance, you cannot ask details like passport number, birthdate, driving license number and credit card number of your visitor without providing valid reasons.
Therefore, the visitor management systems should have a customisable form that allows you to define user inputs. In addition, it should have a process to design custom check-in process based on the type of visitor, so that you don’t ask for same information multiple times.
Data Access
Visitors have full right to access their information stored in your visitor management system and request to delete them. This principle implies that no data should be collected for longer than the desired length of time.
What to except in VMS?
One of the ways of complying with this principle is by having an automated process which deletes the data after a defined interval of time. You should be able to define the time period as a rule within your visitor management system.
In addition to deletion, you should be able to set anonymisation rules which will anonymise the personal data of the visitor but keep their sign-in details. This will allow you to comply with GDPR and at the same time access the performance of your workplace in future.
Data Security
Just like all the other web systems, visitor management systems should have a robust and state-of-art data security frameworks. The system should be able to protect your data against theft and accidental loss, destruction or damage.
What to except in VMS?
Therefore, you need to make sure that your visitor management system provides guarantee data security through a contractual agreement so that you are protected. You can ensure this by asking details about where your visitor management system is hosted and which data centre technology is being used.
What more you need to know about GDPR
We recommend you to visit the official website of GDPR to understand more about how you can protect your business and customers and become GDPR compliants.
However, the fundamental aspect of GDPR is to ensure that your employees’ and visitors’ data are secured and not used for any illegal purpose. Hence, you should always make sure that the digital solutions or any other technology do not violate user’s privacy and security.