Does a paper visitor book count as personal data under UK GDPR?
Yes. Under UK GDPR, "personal data" means any information that can identify a living individual. A visitor's name, employer and who they visited is enough to qualify. It does not matter that it's written on paper rather than stored digitally — the ICO is clear that GDPR applies to manual records held in a structured filing system.
GDPR Recital 15 explicitly states that data protection rules "should be technologically neutral." Paper is not exempt.
The 3 GDPR principles that paper visitor books routinely break
Article 5 of UK GDPR sets out seven data protection principles. Three of them are routinely broken by paper visitor logs:
1. Data minimisation (Article 5(1)(c))
The ICO says you must collect only data that is "adequate, relevant and limited to what is necessary." A paper book typically collects the same fields from every visitor — a delivery driver gets the same form as a senior client. There is no way to dynamically limit fields by visitor type. Every entry becomes a potential data minimisation violation.
2. Storage limitation (Article 5(1)(e))
Data should be kept "no longer than is necessary." Paper visitor books tend to sit on a shelf indefinitely — nobody goes back to remove old entries. There is no automatic deletion, no retention schedule enforced, no audit trail. That book from 2022 still contains personal data. That is a live compliance risk.
3. Integrity and confidentiality (Article 5(1)(f))
The ICO states that personal data must be processed "in a manner that ensures appropriate security." A paper sign-in book on a reception desk is visible to every new visitor who walks in. They can read previous visitors' names, companies and who they met. This is an unauthorised access risk that the ICO explicitly warns about.
What could actually go wrong?
The consequences of non-compliance are real. The ICO can investigate and fine organisations for breaching Article 5 principles — fines for serious breaches can reach £17.5 million or 4% of global annual turnover.
More likely for most SMEs: a subject access request (SAR). Any visitor has the legal right to ask what data you hold on them and request its deletion. With a paper book, how do you find their specific entry — let alone delete it without removing other records?
There is also a reputational risk. A client walks in and sees a previous visitor's confidential details written in a book. That is a trust problem before it becomes a legal one.
What does a GDPR-compliant visitor system actually look like?
A compliant digital visitor management system handles the hard parts automatically:
- Collects only the fields relevant to each visitor type (data minimisation ?)
- Applies a data retention period and auto-deletes old records (storage limitation ?)
- Stores data securely — no one can see who visited before them (confidentiality ?)
- Provides a full audit trail if the ICO ever investigates (accountability ?)
- Shows visitors a privacy notice at sign-in (lawful basis ?)
- Allows instant response to subject access requests — search, export and delete in seconds
A quick checklist — is your current sign-in process GDPR compliant?
- Do you have a documented lawful basis for collecting visitor data?
- Are you only collecting data that is strictly necessary for the visit?
- Do visitors receive a privacy notice at sign-in?
- Do you have a documented retention period for visitor data — and do you actually enforce it?
- Can you quickly locate and delete a specific visitor's data if they submit a SAR?
- Is your visitor log physically secured from other visitors' eyes?
If you answered no to two or more of these, your current process has GDPR gaps that need addressing.
How DigiGreet helps
DigiGreet is built for UK organisations that need visitor management to be genuinely GDPR-compliant — not just "probably fine." It handles data minimisation, retention, secure storage and subject access requests automatically. Setup takes less than a day, and there are no hidden costs.
Book a free 20-minute demo and see how DigiGreet keeps your visitor data GDPR compliant. Or call us on 01865 55 60 70.
Get in Touch