Is Your Reception Ready for GDPR?

Safety & Security

GDPR checklist

Get ready for the new General Data Protection Regulations with our GDPR checklist.

Complying with GDPR doesn’t need to be onerous. While the implications can be scary and the organisational changes required may seem daunting, in reality GDPR is about best practice in using, storing, handling and requesting data that we use every day. We’ve assembled a GDPR checklist to help you understand the new regulations.

Receptions in particular are an interesting case study when considering how GDPR might affect how you interact with staff, customers and visitors. Perhaps the biggest change that the legislation will bring about, will be in how it transforms the handling of information that many workplaces would have previously never have considered, even though it’s generated constantly.

When someone visits a reception, they’ll often hand over data including their:

  • Name
  • Email
  • Address
  • Car Details
  • Comings and goings
  • Who they’ve come to visit

All of these pose a potential risk to safety & security as they can be used to identify a person, if their data falls into the wrong hands. While there’s been a huge shift towards paperless workplaces, much of this information is still kept in paper format. GDPR expands the scope of what constitutes data in the legal sense and encompasses this written information too.

GDPR Checklist: 5 things your reception staff should consider

1. Personal Identifiable Data (PID)

Depending on the nature of your business, you may have more stringent GDPR responsibility than others. If you handle information regarding:

  • Financial Matters
  • Healthcare
  • Legal information
  • Restricted or sensitive data

Then you will need to appoint a Data Protection Officer. You’d be surprised at how much data produced in a reception area can fall into these categories. Review your log book over the last 3 months; were you aware of how much could be learned about a person if it was left on the desk unattended?

2. Data Controllers and Data Processors

It is the responsibility of the Data Protection Officer to classify who, within their business, is a Data Controller and a Data Processor. Data Controllers are responsible for the access and use of data, whereas Data Processors may capture and input this data.

In a reception context, whoever supervises may indeed need to be classified as a Data Controller and will need to be responsible for where it is stored and who has permission to use it, alongside restricting and securing it. It’s no longer the sole responsibility of IT, and this is a great example of an area where there may be a GDPR blind spot in your business.

3. Consent

You need to make people aware that you’re taking their data, tell them what you’re going to use it for, and request their permission. This will require a process that may not exist within your business, and you’ll need to record the consent of those who hand over their data. When you consider the type of data you’re capturing as you’re welcoming people into a building or office, it quickly becomes apparent how burdensome this may be if you do not have a means of automating the consent process. If you’re recording this on paper, how will you store this information? Will it be secure? How long will you keep it for? When you take these points into consideration, it quickly becomes apparent where the difficulties may lie in staying compliant with GDPR whilst using a paper book.

4. Storing Data

Alongside revising your processes, you will need to consider the security of where you store your data. Do you leave a visitor book on the desk? Is all written paperwork locked and secured? Could you reproduce any of it in the event of a disaster, such as a fire? The ability for your data to be wiped out is a huge risk.

5. Data Masking and Wiping

GDPR enforces the Right To Be Forgotten, and as such you’re going to need a way of sorting, finding, deleting or altering data upon request. In a reception this could potentially reach a baffling scale; all of the comings and goings of your average office or visitor area over months and years could, at a moment’s notice, need to be investigated, filtered and then altered. Do you have the capabilities and do your staff know where to find this data? Are there any copies of the data in different locations?

While our GDPR checklist is a non-exhaustive exploration of circumstances that could determine whether your reception is ready for GDPR, we’ve also produced a detailed GDPR guide in our Road to Compliance whitepaper. GDPR is an important factor in Visitor Management, and you can find out how you can plan ahead.

Get the guide