Moving away from paper sign-in sheets and towards digitized access control and visitor management is an integral first step toward protecting the privacy of your visitors. Traditional paper logbooks can easily be read by others, make their way into the wrong hands, or simply be misplaced. They don't require visitors to verify details but rather create room for human error and give the impression that your company is behind the times when it comes to technology and security.
Using a visitor management system (VMS) allows companies to protect visitor data from prying eyes. However, new privacy regulations and expectations of data privacy on the part of visitors mean businesses need to choose their VMS software carefully, ensuring that the system makes data privacy a priority.
Below, we'll look at seven ways to ensure the data of visitors to your worksite stays secure.
By putting privacy at the top of your to-do list when choosing VMS software, businesses don't have to worry about reconfiguring software to meet new privacy needs.
The Information Systems Audit and Control Association (ISACA) found that the most common privacy shortcoming among businesses was the failure to build privacy by design into applications or services. When you purchase a VMS from Sine, you can be sure that data from sign-in devices is purged and customize data collection from the ground up.
Just as every company needs a workplace visitor policy, they also need a data privacy policy that lays out the type of data they plan to collect, how it should be used, the ways they plan to secure it, and when it will be purged.
It's crucial to share your data policy with visitors (even if it simply pops up for their approval on the sign-in screen), so they know you have their privacy in mind and have already thought about how you will value and protect their data. In some cases, privacy policies are required to maintain compliance with government regulations.
Do you need someone's social security number when they enter your building? Is it necessary to store a copy of their driver's license with no data redacted in your cloud or on-premise server? Data leaks are becoming more common, and businesses have a responsibility to keep their visitor's data safe from prying eyes. One of the best ways to protect data privacy is to collect only the information you truly need to keep your workplace safe.
A VMS should allow businesses and their safety managers to choose precisely which information they want to store. And their data privacy policy should be clear about why that data is being kept.
Who needs to see when a specific guest arrived and left the building? Who needs to view a guest's professional credentials? Does anyone on the premises need access to a visitor's home address?
There are many cases when it makes sense to keep this data,. However, it's wise to restrict access to at least some of the information stored in your VMS. Your billing department may need an address, but your reception staff likely does not. Likewise, your safety manager may need to look at visitor credentials and liability waivers, but the marketing team does not. Siloing data can sometimes restrict productivity, but it can also be a way to restrict access to only those who need it, making it a potentially important part of securing private information.
It's also crucial to ensure your VMS software vendor does not access your customer data without permission and a good reason. Sine's staff will request to interact with customer data only when necessary to debug and troubleshoot. Our employees maintain strict password security protocols, and any customer data access is limited to 30-minute sessions.
When your business has repeat visitors, you don't necessarily want them to go through a complete sign-in process any time they enter the building. However, it's rare to have a reason to store the private data of infrequent guests. That's why companies need to think about the what, why, and how of storing personal visitor data and then consider plans to purge it regularly (each day, after a person hasn't visited for a specific period of time, etc.).
For example, if you're collecting data to help operate building systems, you can also choose to encrypt or anonymize the data you collect. You don't need any specific personal data if you're simply counting heads to run your HVAC more efficiently or managing social distancing.
To read more about Sine's encryption, check out our "Privacy, Hosting, and Security" whitepaper.
System and Organization Controls (now updated to SOC 2) refers to the criteria organizations must abide by if they manage customer data. Visitor management systems should protect all the data they collect by staying compliant with these protocols, especially if they utilize a cloud-based storage system.
International vendors, such as Sine, must consider regional as well as industry-specific regulations and laws when it comes to data collection.
Non-compliance with data governance rules can result in hefty fines and open companies up to lawsuits, and rules about storing and protecting data differ by location. For example, in the EU, GDPR (General Data Protection Regulations) applies to businesses based in the EU and those that provide services to customers within the EU. In the US, data privacy regulations can vary by state (for example, California has its own Californian Consumer Privacy Act).
In other words, investing in privacy up-front can save millions of dollars or more in the long-run.
As a result of complex data privacy laws and the risks associated with non-compliance, VMS software vendors need to be well-versed in keeping data secure.
Data privacy should be a top priority for businesses and building managers. In fact, 92% of consumers say that they believe companies should take a proactive approach to data privacy. At Sine, we agree, and that's why our visitor management software is among the most secure and compliant.
Interested in hearing more about Sine? Contact us to book a demo.
