Did you know that any EU-based organizational entity and any non-EU organization that processes personal data of EU citizens will be affected by the EU General Data Protection Regulation (GDPR) ? The new regulation will offer EU citizens more control over the personal data they share with a company within the EU or outside of it.
Since libraries work mostly with users and process their information, they also need to be GDPR compliant.
Where to start?
Organizations are still figuring out what it entails as there is no standard framework on how to become GDPR compliant, but here are 5 general aspects that you need to cover now:
1. Get familiar with the GDPR
There are many resources online outlining the regulation, such as the eugdpr.org website – a resource to educate the public about the main elements of the GDPR, or online courses that help you get a better understanding of how to become GDPR compliant.
The IFLA briefing on the impact of the GDPR highlights that you must be aware of the specific exemptions from the law that might apply to the library. Getting legal advice and discussing with the policy makers regarding the impact of this new regulation for the library and its users is not only helpful but it is essential. However, it all depends on each library’s budget and resources.
In our dialogue with many libraries using Princh, we’ve become aware that some have had very limited means to figure out what the implications of the updated GDPR can have for their library. Therefore, we’ve teamed up with a few experts and we’re writing a small series of blog posts that will focus specifically on how libraries can ensure GDPR compliance. So, stay tuned!
2. Identify what personal data you are processing at the library
As the library’s main activity is to offer services to the citizens, you most probably are in control of their personal information. As per art. 4 of the regulation, personal data is defined as “any information relating to an identified or identifiable natural person”. It can be basic identity information, such as a name, phone number, address, etc. Or basic online identifiers such as email addresses, cookies, IP addresses or, as the article suggests, more specific information related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
You can start by listing all the user data you have access to in your current activities (physical or digital). Once finished, you can decide what data contains personal information. Don’t forget to include the data that is processed internally, but also the external data processed by third-parties such as cloud solutions and suppliers. You will be held accountable for any personal data breach affecting the library users.
Having an audit of all the data that the library is collecting and processing through its activity is a great starting point in creating an action plan for becoming GDPR compliant.
3. Define how you handle the personal data at the library
Now that you are aware of all the data you are collecting through all your activities and the sources where it comes from, you can easily establish the reason why you need this data and why it is useful for the library’s activity. Decide what you actually need to store and for how long. To demonstrate compliance with the regulation, the library must update the data protection policies and have in mind the principles relating to personal data processing and most importantly the rights of the data subjects.
– Right of access. The users have the right to know how their data is processed and they also have the right to access it.
– Right to rectification. The users have the right to update any inaccurate personal data that the library may possess.
– Right to erasure. The users also have the right to be forgotten and they can request at any time the deletion of the personal data.
– Right to restriction. The users have the right to restrict the processing of data in some case.
– Right to data portability. Now the users also have the right to receive and transfer the data to another organization.
– Right to object. Finally, the users can object the processing of their personal data unless the controller demonstrates compelling legitimate grounds for it.
4. Implement appropriate measures
After identifying all your data and getting your policies right, it is time to implement the identified changes in your internal processes at the library. As the regulation states, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
The main goal of this stage is to enforce the data protection rules around the data you are collecting.
Given the rising number of cyber-attacks and data leaks, the GDPR makes it as a necessity for you to put in place some procedures to prevent, monitor, detect and report any attack or security breach. Taking some technical measures and training staff to pay attention to this issue is essential because according to the new regulation, the library has 72 hours to report a breach and to inform the user.
5. Demonstrate your compliance
Now that you have the policies in place, it is time to document the processes and explain your approach regarding the privacy and security of your activity. Prepare for audits and for users wanting to access, rectify, erase or move the data.
The designation of a data protection officer (DPO) is needed since the library is a public authority which processes data. The DPO’s main task is to be the contact point between the supervisory authority and the controller and the processor.
Ultimately, think of the GDPR compliance as a continuous activity for the library as it is not a project that can be completed at some point. It is vital to be aware of what’s happening at the library and keep logs, so you are ready to report any security breach.