Did you know that any EU-based organizational entity and any non-EU organization that processes personal data of EU citizens will be affected by the EU General Data Protection Regulation (GDPR) ? The new regulation will offer EU citizens more control over the personal data they share with a company within the EU or outside of it.
Since libraries work mostly with users and process their information, they also need to be GDPR compliant.
Where to start?
Organizations are still figuring out what it entails as there is no standard framework on how to become GDPR compliant, but here are 5 general aspects that you need to cover now:
1. Get familiar with the GDPR
There are many resources online outlining the regulation, such as the eugdpr.org website – a resource to educate the public about the main elements of the GDPR, or online courses that help you get a better understanding of how to become GDPR compliant.
The IFLA briefing on the impact of the GDPR highlights that you must be aware of the specific exemptions from the law that might apply to the library. Getting legal advice and discussing with the policy makers regarding the impact of this new regulation for the library and its users is not only helpful but it is essential. However, it all depends on each library’s budget and resources.
Getting legal advice and discussing with the policy makers regarding the impact of this new regulation for the #library and its users is not only helpful but it is essential. #GDPRinlibraries #GDPR Click To TweetIn our dialogue with many libraries using Princh, we’ve become aware that some have had very limited means to figure out what the implications of the updated GDPR can have for their library. Therefore, we’ve teamed up with a few experts and we’re writing a small series of blog posts that will focus specifically on how libraries can ensure GDPR compliance. So, stay tuned!
2. Identify what personal data you are processing at the library
As the library’s main activity is to offer services to the citizens, you most probably are in control of their personal information. As per art. 4 of the regulation, personal data is defined as “any information relating to an identified or identifiable natural person”. It can be basic identity information, such as a name, phone number, address, etc. Or basic online identifiers such as email addresses, cookies, IP addresses or, as the article suggests, more specific information related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
You can start by listing all the user data you have access to in your current activities (physical or digital). Once finished, you can decide what data contains personal information. Don’t forget to include the data that is processed internally, but also the external data processed by third-parties such as cloud solutions and suppliers. You will be held accountable for any personal data breach affecting the library users.
Having an audit of all the data that the library is collecting and processing through its activity is a great starting point in creating an action plan for becoming GDPR compliant.
Having an audit of all the data that the #library is #collecting and #processing through its activity is a great starting point in creating an action plan for becoming #GDPR compliant. Click To TweetFor inspiration in identifying the personal data you are processing, check out this free data map template >>
3. Define how you handle the personal data at the library
Now that you are aware of all the data you are collecting through all your activities and the sources where it comes from, you can easily establish the reason why you need this data and why it is useful for the library’s activity. Decide what you actually need to store and for how long. To demonstrate compliance with the regulation, the library must update the data protection policies and have in mind the principles relating to personal data processing and most importantly the rights of the data subjects.
Decide what you actually need to store and for how long. #userdata #GDPR #libraries #usersecurity Click To Tweet– Right of access. The users have the right to know how their data is processed and they also have the right to access it.
– Right to rectification. The users have the right to update any inaccurate personal data that the library may possess.
– Right to erasure. The users also have the right to be forgotten and they can request at any time the deletion of the personal data.
– Right to restriction. The users have the right to restrict the processing of data in some case.
– Right to data portability. Now the users also have the right to receive and transfer the data to another organization.
– Right to object. Finally, the users can object the processing of their personal data unless the controller demonstrates compelling legitimate grounds for it.
Therefore, whenever you are collecting personal data, you must make sure that you receive the consent for using it and at the same time to make sure that all the library’s policies (privacy policy, terms and conditions policy, cookie policy, etc.) are easily accessible for the users.
4. Implement appropriate measures
After identifying all your data and getting your policies right, it is time to implement the identified changes in your internal processes at the library. As the regulation states, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
The main goal of this stage is to enforce the data protection rules around the data you are collecting.
Enforce the data protection rules around the data you are collecting. #GDPR #libraries #user #dataprotection Click To TweetGiven the rising number of cyber-attacks and data leaks, the GDPR makes it as a necessity for you to put in place some procedures to prevent, monitor, detect and report any attack or security breach. Taking some technical measures and training staff to pay attention to this issue is essential because according to the new regulation, the library has 72 hours to report a breach and to inform the user.
5. Demonstrate your compliance
Now that you have the policies in place, it is time to document the processes and explain your approach regarding the privacy and security of your activity. Prepare for audits and for users wanting to access, rectify, erase or move the data.
The designation of a data protection officer (DPO) is needed since the library is a public authority which processes data. The DPO’s main task is to be the contact point between the supervisory authority and the controller and the processor.
The designation of a data protection officer is needed since the #library is a public #authority which processes data. #GDPR #libraries #dataprotection Click To TweetUltimately, think of the GDPR compliance as a continuous activity for the library as it is not a project that can be completed at some point. It is vital to be aware of what’s happening at the library and keep logs, so you are ready to report any security breach.
Think of the #GDPR compliance as a continuous activity for the #library as it is not a project that can be completed at some point. #dataprotection Click To TweetThe EU General Data Protection Regulation will come in force in May 25th 2018 and for the next 4 months, we will dedicate a small series of blog posts where we will share everything we learn to help you in your process to become GDPR compliant. Enter your e-mail address above to receive news from us. You can also find us on Facebook and Twitter.
Recent posts
Idsall School
In this week's Princh Library Blog post, we are going to cover the transformation of the Idsall School Library. The school was [...]
Precedents, Predecessors
In this week's Princh Library Blog post, recurring guest writer Edgardo Civallero reminds us where and how libraries started, and the long path [...]
For the US and North American markets, GDPR compliance is becoming quite challenging as companies are struggling immensely with scoping issues and documentation issues. More specifically, I’m finding that controllers and processors are unclear at times as to what’s in scope, then further challenged by the complete lack of policies and procedures in place. I look at GDPR compliance as a two-fold process, and that’s (1). Putting in place the actual processes and best practices, and then (2). Documenting such processes and practices with well-written, factual policies and procedures.
The amount of time and money that organizations are spending on policy creation, along with acquiring additional tools for GDPR compliance is quite staggering, but again, it’s got to be done. Hopefully, as time passes the EU will provide better guidance on many of the articles that are currently somewhat vague. This has been done to obviously account for the large number of industries that need to become compliant. Well, good luck to everyone’s GDPR compliance issues and do all you can for meeting the deadline of May, 2018.
Presumably it was never meant that GDPR would apply in this way, but the authors of books are named on their spines, photographs in books are credited, many biographies contain personal details (of varying veracity) of identifiable still-living persons. Is there a GDPR exception covering this, or do you need to get permission from every author, photographer and person named in the books?
[…] دادههای بزرگ با توجه به پیشرفتهای فناورانه، طی فعالیتهای اساسی افراد، دادههای بیشتری تولید، ذخیره و تحلیل مجموعۀ دادههای بزرگ[۱] میتواند یک مزیت واقعی برای کتابخانهها محسوب شود؛ زیرا آنها مهارت و دانش مورد نیاز برای استفاده از منابع عظیم اطلاعات را به بهترین شکل ممکن دارند. دادههای بزرگ میتوانند روند فعالیتهای کتابخانه را بهسادگی و با بررسی بینش ذهن کاربر (رفتار اطلاعیابی افراد) بهبود ببخشند. جینیمایز در مقالهای در سایت publiclibrariesonline.org دربارۀ استفاده از دادههای بزرگ در کتابخانهها میگوید؛ «کتابخانهها میتوانند از هوش کاربران اصلی برای ایجاد ارتباط بهتر با جامعه، استفاده کرده و با تغییرات محیطی سازگار شوند». به علاوه، کتابخانهها میتوانند از دادههای بزرگ برای شخصیسازی تجربۀ کاربر، با توجه به حفظ حریم خصوصی کاربران، استفاده کنند. برای مثال، برای پردازشگران دادههای شخصی کاربران EU سازگاری با مقررات حفاظت از دادهها ضروری است. […]