Envoy and GDPR: How we support your GDPR compliance efforts
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulation fundamentally reshapes the way in which data is handled across every industry. Workplace visitor management solutions are a key component in ensuring that your business maintains GDPR compliance.
GDPR was enforced in May of 2018, with the goal to provide stronger privacy protections to consumers. Though the regulation was created by the European Parliament and Council of the European Union, it is written to cover a global reach. If your company offers goods or services to EU citizens, then GDPR applies to you.
Although it can be tempting to continue operating as usual, violating GDPR regulations can have serious consequences. For especially severe violations, the fine framework can be up to 20 million euros or up to 4 % of your total global turnover—whichever is greater.
The good news is that compliance with GDPR can be relatively straightforward. Though we cannot offer legal advice to your business, we do want to explain the foundations of GDPR, how visitor management solutions play a part, and whether or not Envoy is GDPR compliant.
A new definition of personally identifiable information
Before we continue, let’s discuss the core of GDPR, which is how it defines personally identifiable information (PII). Names, addresses, phone numbers, employer information, and the like are all examples of PII.
Under GDPR, the scope of PII is broadened further. For example, if your company logs IP addresses of website visitors, then GDPR applies to you, even if you don’t ask visitors for their names. Additionally, GDPR has provisions that state biometric data also is PII.
Under GDPR, even collecting the slightest amount of information, such as a website domain or workplace visitor’s first name applies.
The stakeholders of GDPR
Within the GDPR text, there are three key stakeholders involved with the law:
- Data subjects: These are the individuals that you capture information from. This includes guests in your workplace that enter their information into your visitor management system.
- Data controllers: Companies that collect and own PII are considered data controllers. This includes organizations that utilize visitor management tools.
- Data processors: Entities that process PII to perform tasks are considered data processors. This includes companies like Envoy that supply visitor management solutions.
How Envoy Visitors simplifies GDPR compliance
Because you’re collecting personal data for your company’s use, Envoy customers are considered data controllers. Envoy Visitors can help support your GDPR compliance efforts in the following ways:
- Keep visitor data private by having visitors sign in on an iPad, not an exposed logbook
- Allow visitors to opt-out of providing their personal information
- Request the anonymization of your visitor data when deemed necessary
Is Envoy GDPR compliant?
Yes, Envoy services comply with the GDPR, along with other crucial compliance and regulation needs. According to the regulation, there are different roles for companies based on how a company interacts with user data. Envoy is considered a data processor because we process personal data on behalf of our customers, who are considered data controllers.
As a data processor, we have prepared for GDPR by:
- Confirming the vendors we use also adhere to GDPR
- Developing an internal process that allows our customers to request the anonymization of their data
- Publishing a Data Processing Addendum that help our customers comply with GDPR contractual obligations
We’ve worked with customers in a variety of highly regulated industries, such as LightEdge (data center), AMAG (pharmaceutical) and Planet Labs (government), which means we take your complex compliance needs seriously. If you have questions, please contact [email protected].