GDPR: What you need to know


3 minutes read time

March 19, 2018

Article updated: January 2019

The General Data Protection Regulation (GDPR) was enforced on May 25 2018.

The purpose of the GDPR is to:

“…harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”

The maximum penalty for breaching GDPR on or after the enforcement date are fines up to 4% of annual global turnover or €20 million (whichever is greater).

For businesses using visitor management apps/software, here are some key things you need to know:

1. GDPR will ensure businesses are only collecting personal information that is for “specified, explicit and legitimate purposes”.

Make sure you are only collecting the bare minimum of data for operational purposes. Be specific and transparent about how this data will be used so that every site visitor understands how and why their information is being collected.

2. Data subjects have a right to be forgotten.

Don’t “remember” visitor information by default without explicit consent. Of course, some people will want their information saved if they are regularly visiting your site – just make sure visitors can voluntarily opt in to have their data saved for next time. Additionally, only keep records for as long as is absolutely necessary.

Data subjects may withdraw their consent for you to hold their data at any time, but note that the subject’s rights may be measured against “the public interest in the availability of the data”.

3. If you are regularly processing or monitoring large quantities of data, your business must appoint either an internal or external Data Protection Officer (DPO).

Data Processors (e.g. WhosOnLocation) and Data Controllers (e.g. WhosOnLocation customers) must both appoint a DPO. The DPO must be appointed on the basis of professional qualities such as expert knowledge on data protection law and practices.

4. Only work with Data Processors (vendors) who provide “sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.”

WhosOnLocation has been working through an incredibly thorough process to ensure that our software provides features that enable our customers (Data Controllers) to be GDPR compliant.

Some of these features will include:

  • Giving our customers a way of automatically deleting (or anonymizing) visitor data after a certain length of time.
  • Allowing site administrators to enable an option for visitors to “Do not remember me” during the sign in process. This will prevent the returning visitor feature for this visitors subsequent visits.
  • Bulk visitor removal based on search terms should a visitor subsequently want their details removed from WhosOnLocation.
  • Showing a waiver (optionally with signature required) to visitors who you require consent from.

As a Data Processor, WhosOnLocation must also notify our customers of a data breach “without undue delay”.

What’s next?

Are you processing the data of EU citizens or offering a product or service in the EU? Are you using third party vendors to process or collect any kind of personal data? Make sure your vendors are GDPR compliant. You will also need to have a legal expert review your privacy, data collection and data processing policies.

To read about the key changes implemented in May, visit the EU GDPR FAQ page.