The last thing I think about when I’m on vacation is “GDPR.”

Yet last month, when I was staying at a lovely hotel (who shall not be named in this blog), I was faced with a wholly non-GDPR-compliant scenario.

After a good night’s sleep, my son and I made our way down to hotel’s scrumptious breakfast spread. As the host greeted us, I noticed on his stand a few pieces of paper.

multiple-visitor-sign-in-sheets

On one of them, my name stood out to me immediately and next to it: my room number, home address, and telephone number. Even the smell of crisp bacon in the air didn’t help ease my anxiety.

I asked the kind gentleman to “cover the guest info, please,” and he didn’t understand why. After two cups of coffee in my system, I went back to explain to him why.

The “why” in why are paper sign-in sheets not GDPR-compliant?

The very essence of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and by virtue of the authority vested in the UK’s Information Commissioner’s Office (ICO), is data privacy.

As such, GDPR fines exist to keep businesses accountable. If you need a bit more background before diving deeper into this topic, then please do head over to our GDPR guide and I’ll see you back here shortly.

These fines are actually avoidable, especially around your visitor management. But like the saying, “it takes a village,” it really does take a holistic approach from your organization.

You can definitely start with saying goodbye to the sign-in sheet. Why?

This was just one revelation we had when we asked 2,000 business professionals around the US and UK about their experiences in corporate lobbies around the world.

There’s more about it in our Front Desk Experience Survey 2018. But your business can get fined for this very cause, so don’t believe anyone telling you otherwise.

GDPR myths are the new urban myths of our time.

GDPR fines come in tiers

Fun Fact: If an organization has been fined for multiple GDPR violations, it will only be penalized for the most severe one.

But no two GDPR fines are alike and depending on the violation, your business will be penalized more severely.

To break it down into simpler terms, there are two possible degrees of severity:

Tier One

Monetarily, you can be fined 2%, up to $12 million, of your organization’s worldwide annual revenue from the prior year. They include any violation of the articles specific to:

  • Certification bodies
  • Monitoring bodies
  • Data Controllers and Processors: It’s vital to have a Data Processing Agreement (DPA) in place with your visitor management solution provider. At Proxyclick, we’ve adapted our “legalese” to reflect GDPR. See our template

Tier Two

These are the heavier fines for more serious violations. Read: Stomping on the very principles of the right to privacy and the right to be forgotten.

This is where the fines jump to 4% or up to $24 million, of your organization’s worldwide annual revenue from the prior year.

Some notable GDPR fines: Google et al.

By now we’ve all seen the headlines about the big hitters:

  • Google
  • Facebook
  • British Airways, and
  • Marriott

They’re going through the ringer for falling short of doing everything they could to comply with GDPR.

With fines in amounts upwards of $229 million, it’s important to note that it’s not only big names getting hit with penalties.

There are hundreds of GDPR penalties that have been doled out since the regulation’s passing in March of 2018, just not as massive or hurled into the public eye as the ones mentioned above.

Failure to delete data gives Denmark’s Data Protection Authority (DPA) their first acts of power

In April 2019, data deletion and data minimization took the GDPR spotlight in Denmark for the first time.
Clear in GDPR’s bylaws, it states: Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The data subject shall have the right to withdraw his or her consent at any time.— Article 7(3) of GDPR
However, Danish taxi company Taxa failed to delete customer data—telephone numbers to be exact—inside the 2-year data retention period. Their fine was to the tune of roughly €160,000.
Furthermore, in June 2019, the Danish DPA also proposed a fine of €200,000 on IDDesign, a trendy Scandinavian interior design company—and this also for failure to delete data of its customers.
But remember, it’s not only your customers’ data you must manage.
Yes. Your company’s visitors’ details also fall under GDPR’s data minimization. So it’s important to make sure the visitor management solution you implement allows you to set your visitor data retention periods.
So not only will you be able to more easily comply with data minimization, but you’ll be able to show the automated process you have in place when it comes time for an audit.

The hotel sign-in sheet scenario revisited

In July 2019, World Trade Center Bucharest, was fined 15,000 for the very scenario I started this blog with.
A hotel employee left a printed list of their guests laying around their restaurant’s front desk. The list was photographed by passerby and subsequently shared publicly, leaking the personal data of said guests!
Not only is this a nightmare for the guests—can you imagine having your personal info passed around without your knowing? But it also resulted in a sanctioned fine of 15,000.
Having a digital visitor management system like Eptura, with granular access privileges, could have saved Work Trade Center Bucharest much time and trouble—and reputation to boot. (More about how we handle security here)
Truth be told, I didn’t know about this particular hotel’s “breach in data” until recently. I’d be lying if I said I wasn’t tempted to send this blog post back to the lovely hotel I stayed at last month just so they’re aware of the risks.
Avatar photo

By

Jonathan writes about asset management, maintenance software, and SaaS solutions in his role as a digital content creator at Eptura. He covers trends across industries, including fleet, manufacturing, healthcare, and hospitality, with a focus on delivering thought leadership with actionable insights. Earlier in his career, he wrote textbooks, edited NPC dialogue for video games, and taught English as a foreign language. He holds a master's degree in journalism.