We partner with libraries to meet and exceed their high professional standards. And we work with transparency to support all library users. OCLC was created for libraries 50 years ago and we share core values like social responsibility, confidentiality, and privacy. It’s built into our DNA.
Accountability is in our DNA
Like technology, our global privacy and security practices can never stand still. They must continuously evolve to keep up with changing times and user expectations. To stay one step ahead, we look to our members, industry leaders, and diverse, expert staff. We’re committed to a collaborative process that involves monitoring trends inside and outside our profession and introducing best practices and standards that lead to positive change.
The security of library and user data is a responsibility we take very seriously. That’s why we have critical safeguards in place today. Our multilayered approach is founded on confidentiality, integrity, and availability, and includes risk management protocols, and environmental and operational controls.
Our safeguards are designed, maintained, and updated by a dedicated global security team. These are experienced professionals with backgrounds in libraries and higher education, as well as in security-conscious industries like financial services, government, and defense. Our team holds a variety of industry-recognized, professional certifications, such as ISC2 Certified Information System Security Professional (CISSP), ISACA Certified Information Security Auditor, IAPP Certified Information Privacy Professional, and Certified Information Privacy Manager.
There are no shortcuts. OCLC maintains a strict information security program certified to the ISO/IEC 27001 standard, an international benchmark. We are also guided by other frameworks, such as US National Institute of Standards and Technology Security and Privacy Controls for Federal Information Systems, European Network and Information Security Agency Guidelines, and the Cloud Security Alliance Cloud Controls Matrix.
Information privacy regulations continue to grow—and the European Union’s General Data Protection Regulation (GDPR) raises the bar for many of us. We view GDPR as an opportunity—an opportunity to lead the way in serving our libraries and their users.
We are well-positioned in our GDPR efforts with an ongoing and concentrated analysis of current practices, and planning and prioritization of important improvements. We map how data are collected, stored, and retained. We’ve also started to scale GDPR activities across all of our global operations to better support libraries around the world. In addition to appointing a data protection officer, staff from many OCLC departments and regions are working hard to address GDPR readiness, and we are committed to continuing to enhance our data protection practices into the future. We also recognize our responsibility to help libraries in their efforts to comply with regulations.
This isn’t a one-time fix. And for us, privacy law compliance is never as simple as checking a few boxes. We’re taking a programmatic approach with an organizational privacy program that’s driven by our GDPR strategy and compliance activities.
Our GDPR compliance efforts are part of OCLC’s ongoing commitment to a full privacy operational life cycle:
We assess laws that may apply to OCLC or our members, such as GDPR and the upcoming ePrivacy Regulation, to evaluate potential gaps between those laws and OCLC’s practices. This includes activities such as:
- Data mapping
- Maintaining records of processing activities
- Executing standard contractual clauses
- Executing data processing agreements
We protect OCLC and member personal data through data governance activities such as policy creation and enforcement, and through our ongoing efforts to reassess and improve our practices. We work closely to advise business units such as:
- Product development
- Product management
We monitor and react to developments in laws, such as guidance issued by ICO, CNIL, and other regulators, to understand how the privacy landscape may be changing. And we work to communicate our legal obligations across the organization. These efforts include:
- Staff and member communications
- Staff training and awareness
- Continuing education for our data protection officer
We respond to requests from data subjects and our members in accordance with GDPR requirements. And we investigate incidents as they arise. Responses include:
- Incident review and response
- Responding to individual rights requests
- Information sharing and collaboration with OCLC members