GDPR compliance is an essential factor for many companies when utilizing a visitor management system. AskCody offers different settings in Visitor Management that allow you to respond to GDPR requirements according to your needs and context. Through a mix of existing and new features, we have you covered. To make it easier to decide, here is a summary of actions to take.
Visitor Management and GDPR compliance
Every processing of personal data is covered in the GDPR. In this sense, GDPR fundamentally affects how visitor data is gathered and handled. This is true for both companies employing the traditional paper logbook and those who have an advanced and compliant visitor management system in place. When processing personal data, there are a number of general rules that must be followed that are outlined as principles in the GDPR. They are:
- Fairness and transparency
- Limitation of the purpose and storage
- Data minimization
- Impact analysis of data protection
- Reliability and discretion
AskCody relies on information as an asset, thus it must be protected appropriately. This is crucial in particular given the increasingly interconnected work environment. Due to this rising interconnectivity, information is susceptible to an increasing number of risks and vulnerabilities that require appropriate prevention. With the help of our information security policy, AskCody is able to meet market demands, adhere to legal regulations, and abide by the GDPR while maintaining the highest levels of information security. Therefore, GDPR is the basis for and the design of our information security policy as well as the independent third-party ISAE 3000 audit.
Ensure you only collect client data that you absolutely need (data minimization)
GDPR compliance asks organizations that store and process data to only use the amount of data that is sufficient for the purpose of the operations. This is called data minimization. Between AskCody and you, the client, we are already covered in the DPA based on the Data processing instructions: Purposes and subject matter. But, for your external visitors that enter your company, there are things you must do as well to comply.
AskCody offers a smart way to minimize data through smart rules. You can customize your check-in flow to ask different questions to different profiles of visitors, e.g. distinguish between different data types and input fields that are required and mandatory.
When collecting your visitor data, ask for their consent and explain how you will use it
Your visitors must give explicit consent for their information to be collected as required by the GDPR. Within AskCody, this can be done in a simple step. By adding a sentence in your NDA informing them about the ways you intend to use their data and by asking them to provide explicit consent by signing the document. Thus you add an extra layer of security to your visitor management process. By becoming GDPR compliant you ensure data protection and information safety for your guests and your organization.
At AskCody, we attach great importance to the privacy of our visitors. The personal data that you provide us will only be used for our visitor management and will be processed in accordance with the highest safety and security standards. You have the right to request the removal of your personal data at any time and upon simple demand.
Make it easy for visitors to withdraw their consent
GDPR compliance is required from Data Processors and Controllers to offer a way to withdraw consent as easily as it was given. To ensure the accuracy and integrity of the data, each time a new external visitor will be invited to a meeting, their temporary personal account will be automatically created. That account will hold the necessary personal information for the visitor to be able to check in, which is their full name and their email address. The visitor will have full control over that data and will be able to add other information about themselves such as the company name they are coming from, their telephone number, and similar. The temporary account will be deleted 24 hours after the end of the scheduled meeting if the visitor does not consent to the creation of the permanent AskCody profile.
The same procedure for creating a temporary account will be repeated each time the visitor gets invited to a company using the AskCody visitor management system. Therefore, it is highly recommended for recurring visitors to create an AskCody permanent account. This also means, that withdrawing consent is automatically built-in to the system, either by Profiles being deleted after 24 hours or by users’ login in and withdrawing consent.
Customize an NDA file on your check-in kiosk
Create your own set of rules that guests must agree to before they check in. Integrate GDPR compliance in your visitor management system. Customizing your check-in kiosk would improve your visitor management process by making visitor registration a secure process and protecting guest information, You get an extra layer of security by providing your visitors with a set of terms and conditions to approve for their and your organization's safety. Take visitor management at your organization to the next level by increasing efficiency and removing friction. Customize and optimize your guest registration process to facilitate your workers.
Store visit details for no longer than what is needed
The data retention period is an important concept emphasized in the GDPR. In a nutshell, it means personal data should only be used for as long as it is needed to carry out activities it facilitates, after which it ought to be deleted.
What should this period be?
There is no right answer. We have seen examples with one week or one year. Different companies will establish different retention periods. Even within the same company, different departments can have different perspectives: the compliance team might want to limit the period as much as possible to minimize infringement risk, while the security department might want to store the data for longer to preserve a historical view, say, in case of investigation of an incident (e.g. theft).
Understand the Notion of Legitimate Interests – article 6.1f and how it applies to explicit consent
Explicit consent of the data subject (visitor) is emphasized in the GDPR but there is one thing good to know from the start: there are exceptions to everything, including how this is applied. There is a myth about the GDPR that Explicit consent must always be given, for instance when a visitor checks in at your front desk. The fact is though that explicit consent does not apply to (all of) your (visitor) data
The concept of consent is one of the pillars of GDPR compliance and definitely one of its key innovations that is an inspiring change for many organizations. Even if GDPR lays a lot of stress on consent as one of the main mechanisms of preserving the data subjects’ privacy rights, it recognizes there are types of cases where it is not needed. Some of these are:
- A contractual necessity - when personal data is processed on the basis that it constitutes a legal obligation
- Vital/public interests - the cases where data processing directly affects a “life or death” scenario of the data subject and where it’s required for the normal functioning of an institution serving a public interest, respectively
- Legitimate interests - this means that processing the data without explicit consent is possible insofar as it represents a legitimate interest of the controller without overriding the rights or freedoms of the data subjects at hand
Article 6.1f about the lawfulness of processing states that processing is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
There are already legally justified cases where explicit consent is actually not needed, and the text of GDPR names some of them: “contractual necessity” or “legitimate interests of the company”. This can easily apply to visitor management - the legitimate interest kicks in whenever you collect the data of your visitors for security reasons or in order to generate an emergency list. Or, contractual necessity would - in principle - allow you to handle the information about your visitor as long as this is required in your contract or by another law.
Important to understand and remember
According to our legal counselors, what this means - in practical terms - is that you do not need to ask explicit consent every time you process visitor data in AskCody, for instance, when you are creating an expected visitor in your Outlook Add-in. The same thing applies to checking in the visitor in your Visitor Management Module for the Receptionist, for example.
Strictly having to ask for consent every time you do something like this, would make it very unwieldy to the point of almost being useless. We believe that, luckily, many of the actions that are part and parcel of using a GDPR-compliant Visitor Management System satisfies the conditions of legitimate interests (security, scheduling…).
With that said, we do of course believe it is highly important to offer various types of users the exact level of confidentiality that they need. Before you decide to apply the notion of legitimate interests, we recommend you get counsel from a legal expert or invite us to a call where we can walk through these steps.