iLobby & GDPR
ilobby visitor management platform
Commitment to Privacy
Customer and Visitor data privacy is extremely important to iLobby and has been our focus from the very inception of the product. We ensure data privacy in the entire lifecycle of our product, from product development to sales, support and data storage. iLobby is a leader in enterprise-grade visitor management platforms with a global customer base. Our unique approach fully meets client’s unique privacy requirements and government standards to deliver a solution which satisfies both legal and business objectives.
Why Comply with GDPR?
There are both ethical and business reasons for compliance. It’s important to protect the privacy of people who enter your business environment. GDPR is a carefully thought-out regulation which helps companies operating in the EU establish correct practices and became legally enforceable in May of 2018. Failure to comply can result in substantial penalties and fines.
We have helped many clients meet their unique requirements for collection and storage of private and confidential information. Following “Best Practices” have been assembled based on the feedback and experience we received as a part of our previous engagements.
1. Collect only what you need
In today’s data hungry environment, it is important to remember that collecting information bears responsibility. Auditors often request a reason for each of the collected datatypes. Please establish a reasonable use-case for the data being collected in order to minimize the risk and to ensure that unnecessary data does not clutter the system.
2. Store only as long as necessary
iLobby offers extensive data retention rules to help retain only what is needed and for the required duration. Keeping sensitive data for longer periods increases the exposure and risk and is contradictory to GDPR and many other data privacy regulations.
3. Collect consent
One of the easiest ways to limit liability and to properly facilitate GDPR is to provide adequate disclosure and to obtain consent from the Visitor. The disclosure should outline what data is being collected, how long it will be retained and the purpose for which it is being collected.
4. Assign a Privacy Officer
We recommend assigning an internal Privacy Officer to deal with all matters related to privacy and GDPR regulations. This resource should be responsible for managing the necessary protocols within the iLobby system and should be provided to the Visitor during the sign-in process as a part of the disclosure statement, in case Visitor wants to exercise their “right to be forgotten”.
5. Simplify GDPR for your visitors
Visitors should be able to navigate the process easily and with minimal effort. We can help by providing copies of all disclosures and legal statements via email to Visitors at the completion of the sign-in process. This helps establish a legal trail and further documents options available to the Visitor as a part of the effort to secure their privacy.
Integrations with Third Parties
iLobby can be configured to use additional services available through various third party vendors through integrations. These may include message delivery, 3rd party screening, access control and many more. Please examine individual third party privacy and disclosure statements for their compliance. Some of the vendors and their statements are listed at the end of this document.
When it comes to visitor management, following main topics need to be considered as part of the scope:
Processor vs. Controller
The Processor and Controller roles describe ownership, control and custodianship responsibilities for involved parties. Please consult GDPR legislation (link provided at the end of the document) for a detailed explanation on the roles of each. iLobby classifies each party as per the following:
1. Visitor – Controller
2. Customer – Partially both, Controller and Processor
3. iLobby – Processor
Right to be Forgotten
iLobby provides the ability for the Controller to request to have their personal details removed from the iLobby system. This request can be manual or automated. Please consult your account representative for details on available data retention periods and automation triggers.
Controller should be provided with a legal disclaimer outlining the reasons and the type of the information being collected. iLobby is able to display legal documents and obtain acceptance during both, the sign-in process and pre-registration.
Data security, transport and storage
In addition to having the data encrypted at rest and in transit, iLobby offers geo-distributed storage, allowing customer to store all PII And GDPR sensitive data within the borders of the EU and even within specific countries when required. Our cloud infrastructure is outsourced to Microsoft and falls under certifications outlined in the Microsoft Azure’s Trust Center.
Important Links and Resources
General Data Protection Regulation – April 27, 2016: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
EU Data Protection Page: http://ec.europa.eu/justice/data-protection/index_en.htm
Microsoft Azure Trust Center: https://www.microsoft.com/en-us/trustcenter
Apple Privacy Governance: https://www.apple.com/legal/privacy/en-ww/governance
Google Cloud GDPR: https://cloud.google.com/security/gdpr
Slack’s Plan for GDPR: https://slack.com/gdpr
Twilio GDPR Program: https://www.twilio.com/gdpr
SendGrid GDPR: https://sendgrid.com/resource/general-data-protection-regulation
OKTA EU GDPR: https://www.okta.com/blog/tag/eu-general-data-protection-regulation
OneLogin EU GDPR : https://www.onelogin.com/compliance/gdpr