With the one-year anniversary of the EU’s General Data Protection Regulation (GDPR) just behind us, we know by now that GDPR applies to any personal data your business collects—including that of physical visitors to your office. This can include basic information like names and email addresses, to more probing details like car registration numbers and photos. Understandably, there are still lots of misconceptions around what it all means for GDPR and visitor management.
Let’s take a look at the most common ones, and see if there’s any truth to them.
Myth 1: GDPR and visitor management don’t apply to paper
Fact: GDPR is technology neutral
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing.
— GDPR Recital 15, General Data Protection Regulation
This means that your paper trails can easily fall under the scope of GDPR.
If your company is still using a paper logbook as a form of GDPR visitor sign-in, then you should be aware of the possible pitfalls and risks you’re exposed to.
Any kind of processing of a structured and consistent set of personal data falls under the scope of GDPR. So whether the data collection and processing is done digitally or via pen and paper, it does not matter.
Are you ready to be held accountable for your paper visitor sign-in sheet?
Myth 2: You can easily achieve a GDPR-compliant visitor logbook
Fact: It’s possible, but not easy by any means
This is because GDPR lays out a set of general principles to be followed.
Achieving fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality is technically possible. It’s also a risk to take on manually. We’re all human, and as such there’s always a margin of human error.
Even the alleged “discreet sheets” you find on the market are not fool-proof.
You may address one are for improvement, but other areas—accuracy and storage limitation—fall short and leave you open to risk during a potential audit.
Myth 3: Visitors must always give explicit consent
Fact: Explicit consent does not apply to (all of) your visitor data
The concept of consent is one of the main pillars of GDPR.
That is…
“…any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent as a legal basis can be withdrawn by the individual at any time. Therefore, it is often advisable to investigate whether other legal bases are possible.”
However, GDPR consent isn’t some modern-day “bogeyman” coming to get us.
The regulation actually recognizes that there are cases when explicit consent is not needed:
- In the event of contractual necessity – when personal data is processed on the basis that it constitutes a legal obligation
- In the matter of vital/public interests – the cases where data processing directly affects a “life or death” scenario of the data subject and where it’s required for the normal functioning of an institution serving public interest, respectively
- In the matter of legitimate interests – this means that processing the data without explicit consent is possible insofar it represents a legitimate interest of the controller without overriding the rights or freedoms of the data subjects at hand
A solid visitor management system allows for a range of scenarios including the ability to capture digital signatures on NDAs other other agreement. In fact, we’ve created sample clauses in 22 languages (about consent for your NDAs).
But we advise you to consult your legal counsel to accurately assess each situation in which explicit consent might not be necessary.
A good basis to start that conversation could be our white paper on GDPR-compliant visitor management—Checking into data privacy. It includes an overview of GDPR basics and helpful checklists provided by Cromwell & Moring LLP.
Myth 4: It’s enough to just delete the data from time to time
Fact: Implementing the “right to be forgotten” goes beyond just deleting data
This means that your organization needs to be on top of your data retention period. You cannot store data for longer than necessary.
It’s actually the third step in our GDPR compliance checklist for your visitor management system:
When it comes to visitor management, you’ll need software that adapts to your needs.
Being able to automatically delete the visit details is as priceless as a good night’s sleep knowing you’re not breaking any laws.
Myth 5: A data processing agreement (DPA) isn’t necessary
Fact: Your reception and any subcontracted security staff are considered the data processors
Your company may be one of many tenants in a multi-tenant building. Or you may be using a third-party firm to handle your office building security. In either scenario, there are still three “players” in the eyes of GDPR.
- Your visitor is the Data Subject
- Your company is the Data Controller
- Any 3rd party processing the data is the Data Processor
It’s important to know who the “players” are when it comes to GDPR and visitor management, whether you’re using a paper or cloud-based visitor management solution.
This is where the DPA comes in. A formal agreement must be in place denoting the rights and obligations around data collection and processing from both parties.
By Jonathan Davis
Jonathan writes about asset management, maintenance software, and SaaS solutions in his role as a digital content creator at Eptura. He covers trends across industries, including fleet, manufacturing, healthcare, and hospitality, with a focus on delivering thought leadership with actionable insights. Earlier in his career, he wrote textbooks, edited NPC dialogue for video games, and taught English as a foreign language. He holds a master's degree in journalism.
