The EU General Data Protection Regulation (GDPR) will come into force on May 25th and with less than 2 months to go, we should all be familiar with what this entails for our organization. If you are not familiar, here is an introductory post presenting the 5 general aspects that you need to cover in your way to compliance.
In the second part of our series, we focus on getting you acquainted with the personal data that you are collecting at the library; where you get it from, why you have it, who has access to it and why you are processing it. There are two main considerations to have in mind in your path to GDPR compliance.
1.What personal data are you processing at the library?
As highlighted by CILIP’s guide on GDPR, processing includes collection, storage, use, recording, disclosure or manipulation of data whether that be through automated means or not. The best way to establish this and get you familiar with the data that the library is processing is by creating a data map or a data flow. At Princh, we have created a list of all the personal data (physical or digital) we have access to in our current activities.
For this, we’ve been closely following the GDPR Data Map Template offered by Anthony Budd, innovation consultant at Ideea. We’ve adapted the template to fit our needs in our work with libraries and here is an overview.
1. Focus on the personal information that you are collecting from someone
The first three columns provide an overview of the data type that you are collecting, the key stakeholders that gave you the information (library users, visitors, suppliers, the staff, etc.) and the main sources or channels they used to provide you with that information (website form, form at the library, employee contract, etc.)
For example, you could have a new library visitor wanting to create a library card. That person creates the account online by filling in a form on the library’s website. In this case, the source of personal data is the website form, the data subject is the library visitor and the personal information collected may include their name, e-mail address, physical address, phone number, identification number, and so on.
2. Focus on the way you are handling their personal information
The next four columns will better equip you with a data protection mindset. It is time to ask yourself why you are collecting this data, (marketing, relationship management, contractual basis, analytics, circulation of media, etc.) how and where you’ll store it in your library systems (library database, offline records, LMS, third-party processors systems, etc.) and who has access to it (library staff, IT team, third-party processors, public authorities, etc.) and for how long (removal upon request, after 30 days, after 6 months, etc.)
Continuing with the example of the library visitor, you need his/her personal information to communicate with the new user and allow media circulation. The data could be stored for as long as the user wants to remain in(side) the library’s database and only the library’s staff would have access to it.
3. Focus on the consent that you received for the data that you’re collecting
It’s important to assess the ways you received consent to process the personal data (opt-in checkbox on the website form, phone call, e-mail opt-in etc.) and what type of communication (phone call, e-mail, SMS etc.) the data subject agreed to receive. An important aspect to consider is whether the consent received before May 2018 is valid considering the guidelines from the new regulation or if you should get new consent from the data subject.
2.What is your legal basis for processing the data?
There are many reasons why a library collects personal information but without having a legal basis for processing, the data collected may not be compliant with the GDPR. As stated by the regulation and summarized by ICO here, There are 6 bases for processing personal data:
Basis 1: Performance of a contract
Processing the data is necessary for the performance of a contract between the library and the individual person or if it is a prerequisite for entering into a contract.
Basis 2: Legal obligation
Processing the data is necessary to be compliant with a specific law that the library might be affected by.
Basis 3: Legitimate interest
Processing the data is necessary for the purposes of legitimate interests of the library or a third party.
Basis 4: Vital interest
Processing the data is necessary for the purposes of protecting the vital interests of an individual, e.g. gathering information from library users with a disability to ensure safety.
Basis 5: Consent
Whenever the consent of a person for a specific purpose is obtained in a freely given and affirmative way, the library has grounds for processing.
Basis 6: Public task
Naomi Korn highlights in the CILIP guide that a lawful basis for processing is offered by the necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller.
To conclude, knowing what information your library holds, where it came from and who you share it with, is essential to be able to prove your compliance with the GDPR and it is crucial to maintaining appropriate documentation of your processing activity.
We will be back next week with another interesting article! Follow the Princh blog to receive insights from libraries around the world directly in your inbox.
Please note: The information offered through this blog post is for guidance only to help you better understand the GDPR. We don’t provide legal advice and we suggest that you consult with a qualified legal professional for advice on your interpretation of the GDPR.