At Kenai we understand how important compliance is for your business. We are dedicated to providing features that make compliance as simple as possible while also implementing uncompromising security measures to safeguard data. We respect the rights of individuals with regards to their data and give direct control to data subjects over their data.
What does compliance have to do with Visitor Management?
Modern standards and regulations, such as the General Data Protection Regulation (GDPR), have driven a data privacy reformation globally. Many of these regulations impose hefty fines for non-compliance. Failure to comply with GDPR in the EU region may result in fines of the greater of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year. Companies in South Africa should know that The Protection of Personal Information (PoPI) act, when it is promulgated, provisions fines of up to R10 million and even a jail sentence of up to 10 years for non-compliance.
Visitor data falls under any regulations that deal with personal data protection and privacy. Kenai processes your visitor data so that you don’t have to worry about data security and compliance. We build tools and form our product with these regulations in mind so that the specific regulations with regards to visitor data are covered.
Is a paper visitor book complaint by today's standards?
No. Paper visitor books are problematic when it comes to modern data privacy standards. They raise concerns around confidentiality, storage and gathering consent among others. They are also not secure and the data is difficult to protect. Furthermore, paper systems are a nightmare when it comes to proving compliance.
What are we doing for PoPI compliance?
The PoPI Act has been out in draft format for a number of years and follows the European precedent set from GDPR legislation. It is important to note that PoPI has not yet been enacted and from the actual date of enactment, businesses will have a full year to achieve compliance. This being said, a lot of businesses are being proactive in this regard, not wanting to be seen as ignoring privacy legislation by their customers. As a result, Kenai was developed with PoPI in mind.
Kenai has prepared for PoPI by:
- Ensuring that there is a lawful basis for processing data
- Building features to capture and record consent
- Allowing visitors to opt-out of being remembered on the app
- Facilitating requests from data subjects with regards to their rights under PoPI
- Building technical and organisational security safeguards.
What are we doing for GDPR compliance?
The GDPR went into effect on the 25th of May 2018. The law is applicable to the European Union region and any business who collects data from EU citizens. GDPR defines roles when it comes to handling personal data. Kenai is considered to be a Data Processor as we process data on behalf of our customers. Our customers are the Data Controllers who collect the data for their business uses. We have built Kenai to not only comply as a Data Processor, but to also assist our customers with compliance as a Data Controller.
Kenai has taken the following measures to ensure that you comply with GDPR:
- Appointing a Data Protection Officer (DPO)
- Updating our company Policies and Guidance to adopt the principles of the GDPR
- Ensuring that there is a lawful basis for processing data and capturing consent
- Applying the principle of ‘Data Minimisation’ by ensuring that we only capture necessary data
- Confirming that our sub-processors comply with the same standards and signing Data Processing Agreements with them.
- Publishing a Data Processing Agreement that help our customers comply with GDPR contractual obligations (please email [email protected] for a copy).
- Allowing our customers to set custom data retention periods to delete data that is no longer needed
- Providing features to assist visitors in deleting their data directly
- Providing search and data logging tools to create an auditable trail
- Building technical and organisational security safeguards and employing ‘Privacy by Design’.
Kenai facilitates compliance with the following built-in features:
- Data capture disclosure and consent: Kenai facilitates the disclosure of all data capture through a customizable visitor agreement. The visitor agreement must be agreed to before pre-registering and / or signed and agreed to during the on-site sign-in by all data subjects;
- Option not to be remembered: Data subjects have the ability not to be remembered at the end of the sign-in flow; and
- Deleting visitor logs: The web dashboard gives Kenai clients the ability to delete their data subjects information on request.
These points are elaborated on below.
Data capture disclosure and consent
If visitors elect to pre-register, the very first screen they land on as part of the pre-registration process is the consent capturing screen (fig 1). On this screen, visitors can view the visitor agreement and importantly, cannot continue with pre-registration before opting in to the terms in the visitor agreement. Should a visitor not want to consent to these terms, they will not be able to complete pre-registration and will sign in on-site.
The visitor agreement is customisable by the tenant (building rules are often included), but always includes information regarding (i) where the data is stored, (ii) what data is captured, (iii) what the data will be used for and (iv) the visitor’s right to have their data removed.
When visitors arrive on-site, they sign the visitors agreement as part of the sign in flow. Importantly, the visitors agreement is (i) emailed to every visitor for full transparency and (ii) stored against the visitor’s profile on the Kenai web dashboard for audit purposes.
Visitors only sign the visitor agreement on their first visit, unless the agreement is updated by the tenant or has expired in which case visitors will automatically be required to sign it again on their next sign in.
Option not to be remembered
Kenai has enacted policies to protect visitors’ rights. We allow Kenai visitors to opt-out of being remembered on the Kenai network with a simple toggle switch when finalising the sign in process. If at any stage a visitor opts out of being remembered, Kenai will automatically remove their profile from Kenai. It is important to note that removing a visitor's profile from Kenai does not result in the log of that visitor being removed from a tenant's dashboard. As such, the tenant still has access to the log of visitors that have entered the building (for safety and security reasons), while giving their visitors the option of convenience or privacy.
Deleting visitor logs
Should a visitor want their data deleted from the tenants dashboard, they can contact the tenant and request that their visitor logs be removed.
Kenai leaves deleting visitor logs to the discretion of the tenant. The tenant’s admin user can simply search for a visitor’s name on the web dashboard (Kenai has provided this functionality) and delete that visitors logs permanently from their records. Tenants can also set custom retention periods that will remove all the logs of visitors who wished to be forgotten after the specified interval.
Our internal security measures
In a future blog post we will be going over our internal security measures and the systems we have in place to ensure data protection.
Interested in using Kenai for your business's visitor management compliance? Click here to find out more or get a quote.