GDPR compliance is an essential factor for many companies when utilizing a visitor management platform. AskCody offers different settings in Visitor Management that allow you to respond to GDPR requirements according to your needs and context. Through a mix of existing and new features, we have you covered. To make it easier to decide, here’s a summary of actions to take.
Ensure you only collect client data that you absolutely need (data minimization)
GDPR asks organizations that store and process data to only use the amount of data that is sufficient for the purpose of the operations. This is called data minimization. Between AskCody and you, the client, we are already covered in the DPA based on the Data processing instructions: Purposes and subject matter. But, for your external visitors that enter your company, there are things you must do as well to comply.
AskCody offers a smart way to minimize data through smart rules. You can customize your check-in flow to ask different questions to different profiles of visitors, e.g. distinguish between different data types and input fields that are required and mandatory.
When collecting your visitor data, ask their consent and explain how you will use it
Your visitors must give explicit consent for their information to be collected as required by GDPR. Within AskCody, this can be done in a simple step.
By adding a sentence in your NDA informing them about the ways you intend to use their data and by asking them to provide explicit consent by signing the document.
At AskCody, we attach great importance to the privacy of our visitors. The personal data that you provide us will only be used for our visitor management and will be processed in accordance with the highest safety and security standards. You have the right to request the removal of your personal data at any time and upon simple demand.
Make it easy for visitors to withdraw their consent
GDPR requires from Data Processors and Controllers to offer a way to withdraw consent as easily as it was given.
To ensure accuracy and integrity of the data, each time a new external visitor will be invited to a meeting, their temporary personal account will be automatically created. That account will hold the necessary personal information for the visitor to be able to check-in, which is their full name and their email address. The visitor will have the full control over that data and will be able to add other information about themselves such as the company name they are coming from, their telephone number and similar. The temporary account will be deleted 24 hours after the end of the scheduled meeting if the visitor does not consent to the creation of the permanent AskCody profile.
The same procedure for creating a temporary account will be repeated each time the visitor gets invited to a company using AskCody visitor management system. Therefore, it is highly recommended for recurring visitors to create the AskCody permanent account. This also means, that withdrawing consent is automatically built-in to the system, either by Profiles being deleted after 24-hours or by users’ login in and withdrawing consent.
This feature is new to AskCody Visitor Management and is being rolled out the end of Q2 2018.
Store visit details for no longer than what is needed
Data retention period is an important concept emphasized in GDPR. In a nutshell, it means personal data should only be used for as long as it’s needed to carry out activities it facilitates, after which it ought to be deleted.
What should this period be?
There is no right answer. We’ve seen examples with 1 week or 1 year.
Different companies will establish different retention periods.
Even within the same company, different departments can have different perspectives: the compliance team might want to limit the period as much as possible to minimize infringement risk, while the security department might want to store the data for longer to preserve a historical view, say, in case of investigation of an incident (e.g. theft).
How to delete the data in AskCody?
We have recently released a feature allowing you to automatically "expire" your visit records after a certain number of days. By doing this, we will give you an option to solve this question painlessly and in a “set it and forget it” way.
Understand the notion of legitimate interests – More specifically article 6.1f and how it applies to explicit consent.
Explicit consent of the data subject (visitor) is emphasized in GDPR but there is one thing good to know from the start: there are exceptions to everything, including how this is applied.
There is a myth about GDPR that Explicit consent must always be given, for instance when a visitor checks in at your front desk. The fact is though that an explicit consent does not apply to (all of) your (visitor) data
The concept of consent is one of the pillars of GDPR and definitely one of its key innovations that is an inspiring change for many organizations.
Even if GDPR lays a lot of stress on consent as one of the main mechanisms of preserving the data subjects’ privacy rights, it recognizes there are types of cases where it is not needed. Some of these are:
- A contractual necessity - when personal data is processed on the basis that it constitutes a legal obligation
- Vital/public interests - the cases where data processing directly affects a “life or death” scenario of the data subject and where it’s required for the normal functioning of an institution serving a public interest, respectively
- Legitimate interests - this means that processing the data without explicit consent is possible insofar as it represents a legitimate interest of the controller without overriding the rights or freedoms of the data subjects at hand
Article 6.1f about lawfulness of processing states that processing is lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
There are already legally justified cases where explicit consent is actually not needed, and the text of GDPR names some of them: “contractual necessity” or “legitimate interests of the company”.
This can easily apply to visitor management - the legitimate interest kicks in whenever you collect the data of your visitors for security reasons or in order to generate an emergency list.
Or, contractual necessity would - in principle - allow you to handle the information about your visitor as long as this is required in your contract or by another law.
This is important to understand and remember
According to our legal counselors, what this means - in practical terms - is that you don’t need to ask explicit consent every time you process visitor data in AskCody, for instance, when you are creating an expected visitor in your Outlook Add-in. The same thing applies to checking in the visitor in your Visitor Management Module for the Receptionist, for example.
Strictly having to ask for consent every time you do something like this, would make it very unwieldy to the point of almost being useless.
We believe that, luckily, many of the actions that are part and parcel of using a visitor management system satisfy the conditions of legitimate interests (security, scheduling…).
With that said, we do of course believe it's highly important to offer various types of users the exact level of confidentiality that they need.
Before you decide to apply the notion of legitimate interests, we recommend you get counsel from a legal expert or invite us to a call where we can walk through these steps.