Have you heard of the General Data Protection Regulation?
If you’re living in Europe, chances are you have. GDPR imposes a series of changes to the personal data privacy laws in the European Union and will go into effect on 25 May 2018. The new regulation will replace the current Data Protection Directive 95/46/EC. It is meant to harmonize data privacy laws across Europe and to give individuals more transparency and control with respect to how their personal data is processed. While GDPR does impose requirements that, in some instances, are more stringent than current EU law, regulators have stated that the new regulation should be viewed as an incremental change for organizations that are already complying with existing data protection laws, noting that the regulation is “an evolution, not a revolution.”
GDPR and libraries
The widespread use of data has improved our lives in many ways. And libraries were among the first to embrace computerization of records and connected, online workflows. But that legacy also comes with a downside. New regulations will require us to reconsider business practices that, in many instances, may have been in place for decades. OCLC and our members, however, understand that in the case of promoting and maintaining data privacy and security, doing the right thing isn’t just a responsibility—it’s part of the benefit of doing business with libraries.
In another sense, OCLC and our members are already ahead-of-the-curve in terms of data privacy. Unlike other industries—advertising, for example—we do not sell personal data or aggregate it from multiple sources, and most in the industry are not using behavioral tracking or automated decision making. We (both OCLC and libraries) generally anonymize or pseudo-anonymize our data as part of our standard data handling processes. And, unlike many industries, personal privacy has been a consideration for libraries for a long time, not simply a regulatory burden.
The possible impacts of GDPR on any one institution will depend greatly on how personal data is currently used, and what processes are already in place. For some, GDPR may require only minor tweaks to current procedures. For others, it will mean major changes and even a rethinking of how personal data fits into business plans.
If your library is in the EU—or if you collect personal data about individuals in the EU—you may already have a GDPR plan in place. If not, we suggest some of the resources listed below to get started in understanding your obligations and putting together a compliance plan:
- The main EUGDPR site
- The European Commission’s Article 29 Working Party resources
- The UK Information Commissioner’s Office Guide to the GDPR
- The International Association of Privacy Professionals (IAPP) GDPR Resource Center
GDPR and OCLC
OCLC has been working for over a year on GDPR compliance. One of the most noticeable changes for our EU-based customers will be the addition of features that will allow more prominent privacy notices to be displayed in many of our hosted products and services. Internal changes are also underway at OCLC. We are implementing a process that will allow us to assist customers of our hosted software services in honoring individual rights requests made pursuant to GDPR. Additionally, we have taken significant steps toward improving our data security policies and procedures, improvements that will continue past the 25 May compliance date. And we appointed a full-time, dedicated Data Protection Officer who will be our single point of contact for data privacy matters going forward.
We are considering more long-term product features that will put the customer (the “controller” of the personal data) in the driver’s seat with respect to personal data collection and retention. Those features include, for example, customizable data retention policies for certain types of transaction history.
With respect to our member communications, many of our EU members may have received a request to “opt in” to continue receiving email or other educational or promotional communications from OCLC. To confirm that your opt-in status with OCLC is up-to-date, simply send an email to firstname.lastname@example.org.
Finally, we have begun a campaign to update our existing customer and vendor contracts with new data processing terms in order to make them GDPR-compliant. If you have not yet received our new data processing agreement, you should expect to receive a communication from us in the coming weeks.
For more information about ongoing GDPR efforts at OCLC, please see the customer Q&A document, available here.