Security
Knowing who is on site, where and why reduces unauthorised access and helps protect sensitive areas.
Compliance guide
Are visitor logs required by law?
A clear, up-to-date look at what UK and EU rules actually say, where data protection law comes in, and when keeping a record of visitors is a legal duty or — far more often — simply good practice for safety and security.
Short answer
There is no single law that requires every company to keep a visitor log. For most private businesses it is a good security and organisational practice rather than a statutory duty — though in specific sectors or regulated sites it can become expected, or required by certification schemes and contracts.
Whatever the case, the moment you collect visitor details you are processing personal data, so the UK GDPR and the EU GDPR apply: data minimisation, a clear privacy notice, limited retention and proper security are all mandatory.
It is one of the most common questions among office managers, facilities and security leads. Rather than asking “is it compulsory?”, it is usually more useful to ask “is it useful for us, and if we adopt one, how do we run it compliantly?” Recording who comes in and out answers very real needs around safety, traceability and a tidy front desk — and it has quietly become the norm in most organisations.
Is there a legal obligation?
Neither UK nor EU law contains a single statute that explicitly forces every business to keep a “visitor log”. There are, however, rules that bear on access control indirectly and make a register a useful — and sometimes expected — tool.
General rule: no standalone requirement
For most private organisations a visitor log is a voluntary organisational measure. There is no penalty for simply not having one. What the law does regulate is how the data is handled once you decide to collect it (see the data-protection section below).
Specific contexts: when it can become necessary
In a number of situations recording and controlling access is either required or strongly advised:
- Health & safety and fire safety — duties under the Health and Safety at Work etc. Act 1974 and the Regulatory Reform (Fire Safety) Order 2005 (in England & Wales) require employers to plan for emergencies and evacuation. Knowing exactly who is on the premises, visitors included, is a practical way to support a reliable roll call.
- Regulated sites and sectors — ports, airports, critical national infrastructure, certain healthcare and defence facilities apply access-control procedures set by sector rules. In the United States, schemes such as DHS chemical facility standards or ITAR-controlled sites likewise expect documented visitor records.
- Certifications and management systems — standards such as ISO 9001, ISO 45001 or ISO/IEC 27001 require access control and its traceability: at audit, an orderly visitor record is often an expected piece of evidence.
- Insurance, group policies and contracts — insurers, parent-company policies or client requirements frequently call for documented site access.
Why so many companies keep a visitor log
Beyond any formal duty, an entry log gets adopted because it solves real problems. These are the reasons we hear most often from businesses across the UK and Europe.
Emergency response
In an evacuation, an up-to-date list of people present makes the roll call fast and reliable — a direct support to your fire-safety duties.
Audits and inspections
During inspections, ISO audits or internal reviews, a tidy, searchable access history is immediate proof of traceability.
Quality and image
A calm, professional welcome signals care and reliability — from the front desk through to your quality management system.
Organisation
Hosts notified, legible details, no lost sheets: the reception flow becomes simpler and far less error-prone.
Data protection
A structured process protects visitors’ privacy, so one person’s details are never on show to the next.
What data to record
The guiding principle is data minimisation: collect only what is genuinely needed for the stated purpose. Below are the most common fields, with their purpose and a general indication of whether to capture them.
| Data | Purpose | Guidance |
|---|---|---|
| Full name | Identify the visitor | Needed |
| Company / organisation | Put the visit in context | Recommended |
| Date and time in/out | Traceability and emergency roll call | Needed |
| Host or department | Internal organisation and accountability | Recommended |
| Reason for visit | Purpose of access and security | Optional |
| Signature (policy / NDA seen) | Evidence the rules were accepted | If needed |
| Vehicle registration | Access to car parks or external areas | Only if relevant |
| ID document (copy) | Identity verification | Discouraged |
Visitor logs and the GDPR
Visitor details are personal data, so collecting them is “processing” under the UK GDPR and the EU GDPR (Regulation 2016/679). It makes no difference whether the log is on paper or digital — the same principles apply. Four points deserve particular attention.
Data minimisation
Collect only what the stated purpose genuinely requires (Article 5(1)(c)). Avoid pointless fields and unnecessary ID copies: every extra data point is one more thing to secure and justify.
Transparency and the privacy notice
Visitors must be given clear information under Article 13: who the controller is, what data is collected, why, on what lawful basis, for how long and what rights they have. The notice must be easy to access at the point of sign-in.
Storage limitation
Keep the data only as long as necessary, then delete it. Define a proportionate retention period, document it and apply it consistently — rather than letting logbooks pile up indefinitely.
Security of processing
Apply appropriate safeguards (Article 32): prevent one visitor from reading the previous entries, control who can access the records and protect their integrity. This is precisely where the paper book falls short.
Our dedicated page on visitor logs and the GDPR explains how to handle the privacy notice, lawful basis and retention compliantly. For the storage-limitation question in particular, see how long to keep visitor logs.
The risks of having no visitor log
Having no access record at all — or managing it poorly — exposes an organisation to a series of very concrete problems.
Emergencies are harder to manage
Without an up-to-date list of who is present, the evacuation roll call becomes slow and uncertain, with an obvious safety impact.
No traceability
After a theft, damage or incident there is no way to reconstruct who was on site, when and why. There is simply no record of access.
Audits become difficult
During inspections or certification audits, the absence of an orderly history is a weak point that is hard to justify.
Contractors out of sight
Drivers, engineers and external technicians come and go with no record at all — a classic risk on industrial sites.
For production environments we cover this in detail on our page about visitor management for factories and industrial sites.
Paper log, Excel or dedicated software?
Once you have decided to keep a log, the question is which tool to use. The three common options — a paper book, an Excel sheet and dedicated software — differ in their strengths and limits, especially around data protection.
| Aspect | Paper | Excel | Dedicated software |
|---|---|---|---|
| Privacy between visitors | Poor: details are visible to whoever signs next | Medium: depends who can open the file | High: each visitor sees only their own details |
| Search and retrieval | Slow, manual | Reasonable, with filters | Instant and structured |
| Data security | Low | Medium | High (controlled access) |
| Emergency management | Difficult | Manual | Real-time list of people on site |
| Retention and deletion | Complex, not selective | Manual | Manageable and auditable |
| Reports and exports | None | Basic | Advanced (CSV, dashboard) |
| Professional image | Dated | Adequate | Modern and polished |
| Upfront cost | Minimal | Minimal | Free to scalable |
We’ve written a full guide on the subject: visitor log — paper, Excel or software, with a detailed comparison and advice for every kind of organisation. You’ll also find a practical comparison of the versions on our free vs advanced version page.
Download the free Excel template
If you want to start straight away at no cost, we have put together a free kit with a visitor-log Excel template, a printable PDF and a GDPR reception checklist. It is a great way to bring order to your front desk and decide which data is worth collecting.
Free visitor log kit
Excel template, printable PDF and GDPR checklist, ready to use. Download and customise in minutes.
A digital solution for visitor management
IRIGuest is the digital visitor register that replaces the reception logbook with an app on iPad and Android tablets. It was built to make exactly what the GDPR asks for simple: collect only useful data, show the privacy notice, protect confidentiality and keep everything tidy and searchable.
Privacy by design
Each visitor sees only their own details — no open book with everyone’s name on display.
GDPR-friendly
Customisable privacy notice and consents, on-screen signature, orderly retention management.
Multilingual
Interface in 5 languages: every guest signs in independently in their own.
Live on-site list
You always know who is in the building — concrete support for emergency management.
Host notifications
With the Cloud version, the host is alerted automatically the moment their guest arrives.
History and reports
Always-searchable access records, CSV export and a centralised dashboard for multiple sites and entrances.
The free version works offline too, with no time limit. Want to see how it works before downloading it?
Frequently asked questions
Are visitor logs a legal requirement in the UK?
There is no single UK law that requires every business to keep a visitor log. In many settings it is a sensible security and organisational practice; in specific sectors or regulated sites, access control may be expected under sector rules, certifications or contracts. Once you collect visitor data, the UK GDPR and Data Protection Act 2018 always apply.
Which laws apply to a visitor log?
There is no dedicated statute. The key references are the UK GDPR and EU GDPR (Regulation 2016/679), which govern how visitor data is handled, together with health-and-safety duties (the Health and Safety at Work etc. Act 1974 and the Regulatory Reform (Fire Safety) Order 2005), which require emergency and evacuation planning — knowing who is on site supports those duties.
Does a visitor log fall under the GDPR?
Yes. Names, company, sign-in and sign-out times are personal data, so collecting them is processing and must follow the GDPR — with particular care for minimisation, transparency (a privacy notice), storage limitation and security.
How long should visitor data be kept?
The GDPR sets no fixed period: data should be kept only as long as necessary for the purpose it was collected for (storage limitation). Many organisations define a proportionate, documented retention period; it is good practice to state it in the privacy notice and delete data that is no longer needed.
What information can you collect from visitors?
Only what is genuinely useful for the stated purpose: typically full name, company, the person or department being visited, and date and time in and out. Taking copies of ID documents or unnecessary data is generally disproportionate and should be avoided unless a specific rule requires it.
Do you need the visitor’s consent to record their data?
Consent is not always the correct lawful basis. Depending on the purpose, the processing can rely on legitimate interests (site security and access traceability) or a legal obligation. In every case you must give the visitor a clear privacy notice under Article 13. The lawful basis should be assessed case by case.
Is a paper visitor book GDPR-compliant?
It can be, but the reception book has real weaknesses: anyone signing can read the details of those before them (no confidentiality), and it is hard to secure, retain and delete selectively. A digital solution makes it far easier to respect confidentiality, security and data-subject rights.
Is a visitor log required on a manufacturing or industrial site?
There is no general standalone requirement, but on industrial sites controlling access for suppliers, drivers, maintenance staff and external technicians is strongly advised for workplace safety and is often required by certifications or internal procedures. Here the log is, above all, a safety tool.
Who is responsible for visitors’ data?
The data controller is normally the company collecting the data. It is responsible for setting the purpose and lawful basis, providing the privacy notice, applying appropriate security and upholding data-subject rights. Where the data is handled through a software provider, that provider usually acts as a processor.
Is a digital visitor log more secure than paper?
Generally yes. A digital register lets you protect data with controlled access, stop visitors seeing each other’s details, search and delete information selectively and produce reports. All of these make GDPR compliance easier than with a paper book.
Do small businesses and professional firms need a visitor log?
Not as a general rule. For small firms and professional practices the log is mainly good practice: it protects client confidentiality, brings order to the welcome and improves the impression you give. If you collect data, the GDPR still applies.
What is the risk if a company mishandles visitor data?
Non-compliant processing (excessive data, no privacy notice, weak security, indefinite retention) can lead to complaints and enforcement action by the data protection authority — the ICO in the UK — plus reputational harm. Running the log properly is therefore also a way to protect the business.
Sources and references
Useful legal and institutional references for further reading. This page is for information only and does not replace legal advice.
- Regulation (EU) 2016/679 — GDPR, official text: eur-lex.europa.eu (see in particular Articles 5, 6, 13 and 32).
- Information Commissioner’s Office (ICO) — UK data protection regulator: ico.org.uk (guidance on lawful basis, transparency and security).
- Data Protection Act 2018 (UK GDPR): legislation.gov.uk.
- Regulatory Reform (Fire Safety) Order 2005 — emergency and evacuation duties (England & Wales): legislation.gov.uk.
- OSHA — Emergency action plans, 29 CFR 1910.38 (United States): osha.gov.
- ISO/IEC 27001 — information security management (access control): iso.org.
Want a visitor log that’s simple and compliant?
Start free with the IRIGuest app, or try it online in seconds. No commitment, no time limit.