In our third part of our series about the General Data Protection Regulation (GDPR), we will focus on the overall factors you need to consider before it will be enforced. Not familiar with EU GDPR? Here is an introductory post presenting the 5 general aspects that you need to cover on your way to compliance.
To find out more about the specific activities that need to be done on the lead up to when the GDPR is enforced, we’ve analyzed the activity of a few libraries and had a chat with Anna Ersdotter from Hammaro Library. Follow these 8 activities with examples from libraries around you and make all the changes at your library before May 25th.
1. Finish your documentation on personal data processing
To demonstrate your compliance, the entire process needs to be documented and easy to prove in case an audit is required. Anna Ersdotter explains during our chat with her that at her library they are “writing documentation on everything regarding personal data. Library loans are considered personal data, and depending on what loans we record, we can also have sensitive personal data. Thus, we must have a watertight documentation on how we protect everything. Apart from loans, we also process different contact information (address, phone, email) as well as “personnummer”, a Swedish ID number.”
Therefore, the library needs to offer a clear overview of how, why and when, the library systems collect, store, use, disclose, manipulate and delete personal data.
2. Design a process that will get clear consent from the user
User consent is one of the 6 legal basis for processing data and, other than a contract, consent is absolutely necessary for legal reasons when collecting data as it offers a clear overview of what the user agreed to.
Anna adds that “it also means we have a signed agreement with all users, so if there ever should be a disagreement, it’s easy to go back and look at the signed document. Users need to show identification in order to get a library card, and that card is from that point considered as an identification as well.”
3. Focus on the users and their protection
Anna highlights “GDPR means that our users will have an even greater possibility to control their data than they have today”. Indeed, the main objective with the GDPR is to create a standard for consumers’ privacy online.
The new regulation will offer EU citizens more control over the relationship they have with an institution. Libraries must adapt to this change so that “they will be able to contact the users when needed (reminders, messages that the book they’ve ordered have come in, and in unfortunate events to send bills) and to guarantee that only the user is the one with the ability to access their loans.”
4. Get your privacy policies and notices in place
– the reasons why they use the personal and sensitive data
– what the users can do with the information they provided
– with whom the library is sharing the data
– how the library protects the information
– for how long they keep the personal data
– contact information for the Data Protection Officer
5. Refine the internal processes for data processing
After defining the way you process data at the library, implementing the needed changes in the library’s internal processes is an important next step. Anna tells us “It differs from staff and users. Now the staff needs to log in with a personal account to have access to the database, making it possible to see who looked at who’s account and when”. Something critical to also consider is who has access to the user’s data and whether the staff that can currently see user’s data, should be able to once GDPR is enforced.
Another change in these processes is related to how long you store data. For example, University of East Anglia has decided to anonymize all the loan records older than 10 years and the requests older than 7 years and further use it for statistical or analytical purposes.
6. Involve the whole library in the process
Being compliant with the GDPR is a task for everyone. It is not just the responsibility of the Data Protection Officer, but extends out to the IT department, library assistants and every other person involved too.
It is also not exclusive to the location where you are based, but again reaches out to everyone in your organization. If you are one of a number of libraries in the area, then it is everyone’s responsibility to ensure that the libraries are compliant as a whole. Anna also emphasizes this point: “my library is part of a cooperation together with 15 other municipalities in Sweden. All 16 of us work together on this.”
7. Educate your users about data protection
Even though the GDPR affects all EU citizens, reports done in the past two years show that there are still many businesses who barely kno