The GDPR & Visitor Management: a major challenge for companies

The General Data Protection Regulation, GDPR (1), which came into force three years ago (on 25 May 2018), is not limited to the topics of computer processing and cyber security.

When you receive visitors on site, they usually have to register on a paper or digital register to access your offices. This register therefore requires the collection of personal information and therefore falls directly within the scope of the GDPR. In this sense, any European company processing personal data (2) must comply with the GDPR.

Furthermore, it is noted that “81% of French people now say they are more aware of data protection issues.” (3)
There is a good chance that your visitors will also pay close attention to this.

Here is an overview of your obligations and the solutions that will allow you to continue to welcome your visitors in a modern and friendly way while remaining GDPR compliant.

The principles to be respected to be in compliance

In France, the Commission nationale de l’informatique et des libertés, CNIL (4), is the regulatory authority for personal data and therefore ensures that the GDPR is respected and applied.

As a reminder, in the event of a failure to comply with the provisions of the RGPD identified by the CNIL during an inspection or a complaint, the offender is exposed to financial penalties that can amount to "up to 20 million euros, or in the case of a company, up to 4% of annual worldwide turnover." (5)

To avoid this, there are a few key principles to follow: (6)

  • Minimise the data collected, including first and last name, company, date and time of arrival and departure of the visitor.
  • Limit the duration of data retention to the legal period.
  • Inform visitors about the processing of their data.
  • Restrict access to the register (authorised persons)

Thanks to technology, IT solutions can be adapted and help you make your visitor reception procedure into compliance.

Solutions for compliance

If you are reading this article, it is likely that you already have a visitor management solution, that you are looking to change it, or that you are wondering whether it is necessary.

In any event, the software must have the features to meet legal requirements.

These include:

– Periodic data purging, automatic or manual.
– Signing of documents related to data processing conditions
– Assigning roles according to the authorisation of each employee
– Anonymisation of personal data

In addition to these prerequisites, you may be seeking assistance in the implementation of such a solution by the provider in order to benefit from its specific expertise in visitor management.

The latter can then work hand in hand with the general services department, the safety and security department and the legal department to best meet your compliance expectations.

At Hamilton Apps, we understand that these issues are strategic for your organisation. That’s why we have rigorously applied the principle of “compliance by design” in the development of our visitor management solution: Hamilton Visitor.

If you would like to know more about the GDPR compliance of our solutions, contact one of our experts.

Source:

(1) CNIL - GDPR
(2) CNIL - GDPR (Article 4, No. 1)
(3) IFOP - April 2019
(4) CNIL
(5) CNIL - Sanction
(6) CNIL - GDPR (Article 5, No. 1)