Ensuring that your visitor management software is GDPR compliant is crucial for any business that collects personal information. Here’s how to ensure that your visitor management software is GDPR compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) exists to manage the way data is processed and stored, by businesses, ultimately to prevent data breaches and theft of sensitive information.
There are currently two GDPRs: EU GDPR and UK GDPR which came into force following Brexit.
For the most part, the key principles within the UK GDPR are very much the same as the EU GDPR, however some rules differ if personal data is being transferred between the UK and EEA, which you can read more about here.
Why was GDPR implemented?
GDPR was introduced to respond to growing concerns about the way personal data is collected, used and stored by companies. Concerns were raised regarding the potential for misuse of personal data and it falling into the wrong hands and being exposed.
The rules and guidelines of GDPR made it clear for customers on how their personal data would be collected, used, retained and disposed of.
It is important with GDPR to only collect the data that you absolutely require, you should not collect any personal data that is irrelevant.
What does GDPR have to do with visitor management software?
Visitor management software requires you to collect guests’ personal data such as name and maybe contact information. When collecting this personal data, this is where GDPR becomes applicable.
GDPR applies to any processing or collection of personal data that can be linked back to an individual such as names, email addresses, vehicle registration plates and pictures.
GDPR protocols apply to both electronic visitor management systems and paper-based systems.
Who is involved in GDPR compliance?
There are 3 main stakeholders involved with GDPR compliance and management:
- The visitor, also known as the data subject
- Your company, also known as the data controller
- Your software, also known as the data processor
How long should data be retained?
There is no minimum or maximum requirement to maintain personal data. Companies can establish their own retention periods which could be from a week to a year.
As long as the data is maintained securely, the data can be stored as long as required and when this is no longer required, it must be disposed of in a compliant manner to ensure data protection.
Risks of GDPR Non-Compliance
If your business doesn’t comply with GDPR, then you could face serious legal penalties. Here are some recent examples of penalties that companies have faced:
- 2019: Google was fined €50 million by the French data protection authority for not being clear regarding their data protection practices
- 2020: British Airways were fined £20 million by the UK data protection authority for a data breach that exposed the personal data of around 500,000 customers
- 2021: The UK data protection authority find the hotel group, Marriott, £18.4 million for a data breach which exposed data of over 330 million guests
The Higher Maximum
As stated by ico.org.uk, “The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.”
The Standard Maximum
Again, as stated by ico.org.uk, “If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”
How to ensure your Visitor Management System is GDPR compliant
There are a number of steps that you can take to ensure that your visitor management system is GDPR compliant:
1 Ask for consent
GDPR requires businesses to obtain consent before obtaining their personal data. You need to ensure that your VMS allows for guests to confirm that they have read the privacy policy, or options for which data can be stored.
2 Provide information
GDPR states that individuals or guests have a legal right to know what you plan to do with their data after they have provided it. You must be upfront and clear on how it will be used and stored for.
3 Collect only what you require
You should be selective and only ask for the data that you require. This helps streamline the check-in process and prevents you from storing any unnecessary data.
4 Control & limit access
Businesses must ensure that only those who are authorised have access to the data obtained. You could implement access control procedures which logs the members of staff that have accessed data collected, you can then review the log and ensure that no unauthorised members of staff have viewed customers personal data.
5 Decode information
Cloud based visitor management systems provide a safe way to store data as they are encrypted and difficult to access and understand.
6 Respect your guests
Visitors can withdraw their consent at any given time, and this must be respected. If you do not follow their requests and remove the data originally collected, you are in breach of GDPR protocols.
Keep GDPR Compliant with our Visitor Management Systems
If your business is looking for a GDPR compliant visitor management software supplier, then you can get in touch with our team today to begin implementing your visitor sign in system.