You’ve probably heard about the new General Data Protection Regulation for businesses that have recently gone into effect in the European Union.
These regulations, commonly referred to as the GDPR, are the reason for all the privacy policy update notifications flooding your inbox. Any business that has a presence in the EU (or sells to EU citizens online) must comply with the new regulations or face huge fines.
The GDPR, which has established some of the farthest-reaching privacy laws in the world, was borne out of growing wariness about corporations’ habit of personal data collection. Consumers want to know that their data is being used responsibly and as intended.
However, these rules don’t just apply to marketing and sales tactics. They apply any time a business collects personal information — and one of the times this happens consistently is at reception desks.
Although this law as it relates to visitor management only is enforceable for offices in the EU, it does set forth some good guidelines for any company that values its customers’ right to privacy. All companies should take note, regardless of where they’re located.
We’re not lawyers, and you should definitely consult your own legal professional regarding these issues. But here are some of the general ways to modify your visitor check-in process to become more GDPR-friendly.
Don’t Collect Personal Data You Don’t Need
It’s easy for companies to collect more information than is actually necessary just to cover their bases, or perhaps to use in the future. But that’s no longer allowed under the GDPR.
Responsible business leaders will give real thought to what information they truly need to collect, and not collect any more than that.
When it comes to visitor management, one of the most important steps to take is to create a customized, streamlined check-in processes for each type of visit. For example, you could collect security clearance information from people who will be accessing secure areas. For food deliveries, you might only need to collect the company name. (The pizza deliverer understandably might balk at being asked for their country of origin and background check data).
For more information on how to create custom check-in procedures that only collect relevant information for each type of visit, read our full article on the topic: How to Build Your Company’s Own Visitor Management System.
Explain How You’ll Use the Personal Data You Collect
Explaining how you’ll use personal info goes hand in hand with only collecting the information you need. After all, how do you know you need it if you don’t have a specific plan in mind for its use? The GDPR establishes that EU citizens have a legal right to know what you plan to do with their information, including the info that’s collected at the check-in kiosk in the lobby.
Here are 5 reasons you might ask visitors to enter their personal data at check-in:
- For security purposes (especially to keep a record of who has accessed sensitive areas)
- For insurance purposes
- For reporting purposes (such as an understanding of which type of people and how many people visit the office)
- To make it easier for to visitors to quickly log in the next time they come to the office
- To keep an accurate emergency evacuation list
Work with your lawyer to write a disclosure that includes the reason for each type of personal data being collected, how long you’ll store it in your system (no longer than necessary), and where the data will be kept (in the visitor management system or elsewhere).
Ask for Consent (And Allow Visitors to Opt Out)
Once people understand what information you’re collecting and why, they’ll still need to opt in or out of giving it to you. Your visitor management system should be able to keep a record of each visitor’s acknowledgement that they’ve read and agreed to have their information collected.
Visitors may be prompted to check a box after they’ve read the terms, for example. They may also be able to change their preferences in their profile or settings.
If visitors prefer not to give their personal data when they check in, there should be a procedure in place to let them skip the standard check-in process or sign in another way — or anonymize the visit data so that they can’t be identified.
Again, your company’s privacy agreement should be reviewed by a lawyer who can help make sure that the language in opt-in is as clear and unambiguous as the GDPR requires.
Make Sure You Can Erase Visitor Data Easily and Upon Request
The GDPR also includes a “right to erasure” or a “right to be forgotten.” Opting into data collection and approving the privacy policy once doesn’t make it permanent. Your customers can revoke their consent at any time, and businesses are required to remove consumer data or change it to remove any identifying information at their request.
Visitors have a variety of motivations to keep their visits private (intellectual property, competing job offers, and stealth business partnerships are a few), and those might change over time. In many cases, you can keep a record of the visit but remove the visitor’s name and company information. In others, you can keep a record of past visits but stop storing it for future visits.
It’s each business’ responsibility to make it easy for their customers to opt out and choose which information you can keep on file.
Choose a Secure and Competent Visitor Management System
Paper visitor logs present a variety of security concerns, as we mentioned in this post. That’s why companies that value privacy are increasingly using software for their visitor check-in.
However, companies that want to comply with the GDPR will need to make sure that their visitor management system is also compliant.
There’s a whole set of rules in place for the secure processing and storage of digital data, and each software system your business uses will need to adhere to those — including your visitor management software.
In addition to technical security measures, GDPR-compliant SaaS companies will have appointed a Data Protection Officer whose sole job is to keep the company’s data storage practices safe, up-to-date, and compliant.
Make Sure There’s a Breach Plan
There needs to be a plan in place to promptly notify consumers if their data is accessed by a third party without permission.
Of course, in order to identify a breach, you need a good handle on the whereabouts of all your sensitive data and security measures in place that will alert you when a breach has occurred.
If you’re still using paper, a physical break-in or misplaced files would constitute a breach (this article has helpful information on securing your paper files in compliance with GDPR). But if you’re using software to check in visitors, this responsibility will also extend to the software company. Before you commit to any visitor management software, ask about their breach plan.
Doing the Right Thing
Handling business operations transparently and ethically has always been the right thing to do. But these days, it’s essential to the bottom line.
Being transparent and ethical isn’t just the right thing to do. It’s also good for business. #receptionistapp Click To TweetMillenials, in particular, are interested in doing business with companies that have social missions. And in the age of social media, companies can get publicly put on trial if they’re not transparent and ethical.
U.S.-based companies that have no physical presence in the EU may not have to deal with these laws quite yet, but it pays to stay ahead of the game and understand what emerging privacy laws really mean — not just for your legal obligations, but to forge better relationships with your clients.
Share this Post