LobbyCentral and GDPR
Disclaimer: This article does not constitute legal advise. You should consult with an attorney familiar with GDPR to determine the steps that you should take if your company conducts business in the EU.
You've probably been receiving emails from companies notifying you of updates to their privacy policy, due to the European Union's new GDPR (General Data Protection Regulation) that will go into effect on May 25, 2018.
GDPR only applies to companies that use LobbyCentral in countries within the EU. If you use LobbyCentral in the United States only, GDPR does not apply to you.
You can read about GDPR here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
In a nutshell, the new regulation requires companies to notify an individual:
a) that personally identifiable data is being collected and stored. Note that the data must be able to positively connect itself with a real person to fall under the GDPR. This is key.
b) what kind of data is being collected and stored,
c) how the data is stored and transported, including security methods,
d) who has access to, and use of, stored data, including 3rd parties,
e) notification of data breech with a specific timeline and action plan, e.g. within 24 hours of discovery,
f) upon request of an individual, provide all and/or permanently delete data that has been collected on him or her; deletion includes third-party companies that had access to the data.
g) display a Consent Message that the user must agree to before data is collected.
This is not a complete list of the rules, but is a general overview of how we feel GDPR applies to LobbyCentral. Consult with an attorney or your legal department for an official examination of the regulation. Of the items above, the most important items are F and G. Items A through E have been in LobbyCentral's Terms of Service and Privacy Policy since before GDPR.
How to Prepare for GDPR
LobbyCentral's Privacy Policy and Terms of Service only extend to you as we are the service provider. Consult with your attorney to determine if you should create or update your Privacy Policy to include language on collecting customer information using the LobbyCentral service.
Personally Identifiable Data includes:
a) Full name, e.g. John Smith, John Jacob Smith
b) Email, phone number, or address
c) Name of relatives
d) Social media user names
e) A picture
Limit Last Name Option
GDPR applies to data that can be connected to a real person, aka personally identifiable data which is similar to the United States's health information privacy protection act (HIPPA).
The "Limit Last Name" Option in Kiosk Profile has been added to prevent a customer from entering their entire last name.
How to activate the Limit Last Name option:
- Go to LobbyCentral Administration
- Select Profiles under the Kiosk menu
- Create or modify a profile
- Check the box Limit Last Name
- Save
Kiosk Profiles allow you to set different options for different locations. This allows you to create a profile to limit last name in EU countries and another profile that collects the full name in other countries.
Kiosk Consent Message
You can create a Check-In Agreement that will handle the consent portion. Please note that the Check-In Agreement will apply to all kiosks.
How to create a consent agreement:
- Go to LobbyCentral Administration
- Select General Settings under the Kiosk menu
- In the Check-In Agreements section, enter in your desired statement in the Agreement Notice field
- Change the Require Agreement to Always or Just Once.
- Enter the desired Agreement Statement. This is the customer's acknowledgement that they have read your notice and agree to it.
- Click Save
As of May 23, 2018 our Privacy Policy and Terms of Service agreements have been updated to comply with the GDPR requirement.
If you have additional questions, please contact us at [email protected]. Please note that we cannot provide legal advise and that you should consult an attorney for specific questions about GDPR and how it applies to your company.