Paper logbooks represent significant GDPR compliance risk
“Not worth the paper it’s written on” - Visitor Management specialist Proxyclick says more than ever, it’s time to go digital as it evaluates the paper visitor logbook and its compatibility with the up-and-coming data privacy law; General Data Protection Regulation (GDPR) coming into force 25th May 2018.
With data breaches potentially costing businesses as much as €20 million or four percent of their company's annual global turnover, companies cannot afford a ‘chink in the chain’ when it comes to data security. “Whilst businesses are waking up to the fact that the new law will be enforced in just a few short months, not many of them have really figured out how to ensure compliance by the May deadline - and a far fewer of them realise what a threat the paper logbook might present in that respect” said Geoffroy De Cooman, Managing Director of Proxyclick.
To support UK business in its journey towards compliance, Proxyclick has talked to two industry experts about how GDPR and its innovations apply to the typical way of logging business visitors in a paper logbook. Read the full interviews here.
Karen Cheeseman, a GDPR consultant, working with PrivacyTrust said: "It could be said that a paper-based system is difficult to manage, it could be time consuming, it may not provide the ideal level of security and that anyone can read the logbook. A lot if this depends on what the organization does with the data. Is it simply a way of knowing who is in the building at a given time or is the organization storing and using that information to use for another purpose, such as marketing or profiling? If it is simply for knowing who is in the building at a given time, then the main points to make are data privacy. The organization should ensure that the names of those who have previously signed in are not visible to the next individual."
The paper logbook on the other hand, leaves the records of previous visitors easily visible to anyone who looks at them. Even the solutions intended to prevent this from happening, such as 'discreet sheets' or 'peel off systems' are imperfect and can be easily tampered with.
Critically, GDPR introduces much stronger provisions around Consent and “Right to be forgotten” for the data subject. Under the new regulations, consent must be freely given, specific, informed and unambiguous to meet GDPR requirements. So how does this translate to the visitor experience?
Geoffroy said: “The problem lies in the fact that it's hard to ask for consent elegantly via the paper logbook. Do you ask each visitor verbally and if so, what if your front desk teams handle a large volume of visitors and/or make an error? You could include it written in the logbook but then it would be very hard to make sure it's read by each visitor. Furthermore, it's important to ensure that different profiles of visitors are respected: those that value ease of use and swift access (e.g. recurrent visitors) versus added level of privacy and the right to not have their data stored for a long time.”
How do you ensure you only ask the right questions to each visitor with the paper logbook? After all, in the real world, each of your visitor has a unique mission and relationship with your organisation - they might be a job candidate, a delivery person, a partner or perhaps an auditor. Does it make sense to ask all of them the same questions?
With a digitised solution, these questions are far easier to solve: your visitors will only ever be asked what is absolutely necessary based on the information they provide. No need to ask - nor store - the information about someone's car license plate if they did not arrive with a car, for example.
Multi-tenant situation: multiple vulnerabilities
A paper logbook is especially vulnerable as well as a potential vector of vulnerability for companies in the multi-tenant context. To begin with, in most multi-tenant buildings, software such as visitor management software is typically selected by the property manager, not by tenants. This results in data from visitors to all tenants being grouped (not separated by tenants) into the software, including hosts names (employees of all tenants). This presents a significant challenge to data privacy. In most cases, tenants do not even realise that this is happening.
Proxyclick talked to Danko Pigac, a business consultant for Pragmatekh Ltd:
Danko said: "Very often we see the paper logbook in lobbies of single or multi-tenant business buildings where security operatives check the identity of the visiting parties. Unfortunately, the paper logbook has quite some disadvantages in the face of GDPR. First of all, the book is usually very visible to visitors and in that way, it offers all personal data in plain sight. Also, security operatives are able to browse the book as they like with no control and no awareness of the personal data protection. Furthermore, nobody knows for sure what happens to the book once it is filled out to the last page and it’s not hard to imagine it's simply put in the ‘old paper’ bin with the other various paper records and disposed of publicly. Finally, the worst problem is that none of the companies in that building are aware of the fact that the security company logging visitors is their processor, since they are actually employed by the building owner and not by any of the companies. It’s the same situation even if the security personnel is employed by the company that is also the building owner and the only tenant."
Geoffroy adds: “Evidently, using a paper logbook results in a quickly mounting heap of questions and potential errors. We wrote more extensively about settings and features a visitor logging system should have to align with the norms of GDPR - it's distressingly obvious that it would be near impossible for a paper logbook to compete with what a digital solution can.”
On top of the danger to GDPR compliance, the paper logbook makes for a less than perfect impression to your clients, suppliers and stakeholders - especially when there are far more elegant solutions out there.