We partner with libraries to meet and exceed their high professional standards. And we work with transparency to support all library users. OCLC was created for libraries 50 years ago and we share core values like social responsibility, confidentiality, and privacy. It’s built into our DNA.
Accountability is in our DNA
Like technology, our global privacy and security practices can never stand still. They must continuously evolve to keep up with changing times and user expectations. To stay one step ahead, we look to our members, industry leaders, and diverse, expert staff. We’re committed to a collaborative process that involves monitoring trends inside and outside our profession and introducing best practices and standards that lead to positive change.
The security of library and user data is a responsibility we take very seriously. That’s why we have critical safeguards in place today. Our multilayered approach is founded on confidentiality, integrity, and availability. These approaches are further defined in OCLC’s strategic security goals.
Our commitment to security and safeguarding data are designed and maintained and updated by a dedicated global security team. These are experienced professionals with backgrounds in libraries and higher education, as well as in security-conscious industries like financial services, government, and defense.
There are no shortcuts. OCLC maintains a strict information security program certified to FedRAMP, the U.S. Federal Governments Cloud Security Standard, ISO 27001 and ISO 27018, international benchmarks for Managing Security Systems and Privacy to name a few.
Information privacy regulations continue to grow—and the European Union’s General Data Protection Regulation (GDPR) raises the bar for many of us. We view GDPR as an opportunity—an opportunity to lead the way in serving our libraries and their users.
We are well-positioned in our GDPR efforts with an ongoing and concentrated analysis of current practices, and planning and prioritization of important improvements. We map how data are collected, stored, and retained. We’ve also started to scale GDPR activities across all of our global operations to better support libraries around the world. In addition to appointing a data protection officer, staff from many OCLC departments and regions are working hard to address GDPR readiness, and we are committed to continuing to enhance our data protection practices into the future. We also recognize our responsibility to help libraries in their efforts to comply with regulations.
This isn’t a one-time fix. And for us, privacy law compliance is never as simple as checking a few boxes. We’re taking a programmatic approach with an organizational privacy program that’s driven by our GDPR strategy and compliance activities.
Our GDPR compliance efforts are part of OCLC’s ongoing commitment to a full privacy operational life cycle:
We assess laws that may apply to OCLC or our members, such as GDPR and the upcoming ePrivacy Regulation, to evaluate potential gaps between those laws and OCLC’s practices. This includes activities such as:
- Data mapping
- Maintaining records of processing activities
- Executing standard contractual clauses
- Executing data processing agreements
We protect OCLC and member personal data through data governance activities such as policy creation and enforcement, and through our ongoing efforts to reassess and improve our practices. We work closely to advise business units such as:
- Product development
- Product management
We monitor and react to developments in laws, such as guidance issued by ICO, CNIL, and other regulators, to understand how the privacy landscape may be changing. And we work to communicate our legal obligations across the organization. These efforts include:
- Staff and member communications
- Staff training and awareness
- Continuing education for our data protection officer
We respond to requests from data subjects and our members in accordance with GDPR requirements. And we investigate incidents as they arise. Responses include:
- Incident review and response
- Responding to individual rights requests
- Information sharing and collaboration with OCLC members