Managing visitors to your business – balancing a warm corporate welcome and GDPR

With the average British worker attending over 6000 meetings in their career, many of those hosted on client premises, a delicate balance must be achieved between the visitor data that different departments are keen to capture, and adhering to the stringent criteria laid out by GDPR.

Collecting and storing a visitor’s personal data, whether that’s via a visitor’s book (electronic or paper), means holding personal information such as names, car registrations, and contact numbers – to make sure your business is not in breach of the new data protection law, it is critical that robust data management systems are put in place early.

First impressions are vital. In business, the first impression can literally mean the difference between getting that contract or not; between the client taking to you and your business or feeling that it wasn’t for them. And whilst organisations are utilising the latest ‘proptech’ VMS to extend a warm welcome, it must be acknowledged that businesses will always deal with two very distinctive visitor camps; those that are reticent for any data to be held about them, particularly in the long-term, and those that expect organisations to remember their details for a swifter check-in experience.

Within companies too, different departments can have very different perspectives. For example, whilst the hospitality team will insist that the check-in process must be smooth, with returning visitors needing to be able to re-use their profile for fast and personalised check-in, those in the legal departments will insist upon the deletion of visitor data after a short period. And then there is the conflicting requirements from the compliance department, which advocates deletion of visitor data to meet GDPR, but also needs to be able to produce logs of visitor activity to remain compliant with ISO and industry certifications. Add security into the mix, which might need to access data from over a year ago to investigate a theft, it’s clear to see why companies are currently struggling as to where to focus.

This May, GDPR introduces much stronger provisions around Consent and “Right to be forgotten” for the data subject. Under the new regulations, consent must be freely given, specific, informed and unambiguous to meet GDPR requirements. So how does this translate to the visitor experience?

The following 5-point checklist will help businesses to check their existing visitor check-in system for compliance with GDPR:  

1) Do you only collect client data that you absolutely need? (data minimisation)

The Article 54 of GDPR provides: “Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

Any data you collect needs to pass the test of asking yourself whether there is a way to achieve the purpose without collecting the data. Even better, if you can tailor the check-in process to different profiles of visitors, you can ensure that you always only ask for the information you absolutely need.

2) When collecting your visitor data, do you ask their permission (consent) and explain how you will use it?

Para. 32 of the preamble and Article 4 (11) of GDPR: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of (…) agreement to processing of personal data.”

You must demonstrate that your visitors explicitly agreed to the processing of their data for specific purposes. Again, this can be achieved by allowing them to confirm reading the privacy policy, or by offering a toggle switch by which they allow you to store their data on your VMS.

 3) If one of your visitors changes their mind and no longer wants you to keep their data, is this easy to undo?

Article 7 of GDPR: “The data subject shall have the right to withdraw his or her consent at any time.”

Your organisation must allow visitors to say at any point that they no longer want you to store their visit data and revoking consent to store their data should be as easy as giving it. You will find that the GDPR-compliant VMS offers this by way of a toggle that allows visitors to change their mind during their subsequent visits.

4) Do you store visit details for no longer than what is needed?

Article 5 of GDPR: “Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

One way to tackle the question of data retention a.k.a. ‘right to be forgotten’ is to allow bulk selection and deletion of visits in the dashboard. A more elegant solution for this is automatic deletion after a specified number of days. Ideally, your VMS will either have this feature or be built to easily integrate it in near future.

5) Did you sign a Data Processing Agreement?

Article 28 of GDPR: “The controller shall use only processors [vendors] providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation.”

Your VMS provider must provide assurances that they comply with the GDPR stipulations in all applicable aspects detailed in Article 28, as well as the related provisions of articles 32 to 36. In practice, this implies that you have a binding written agreement, also called a Data Processing Agreement (“DPA”) in place, ensuring a strict level of safety and security of the personal data processed on your behalf.

By Geoffroy De Cooman, Managing Director at Proxyclick