In our third part of our series about the General Data Protection Regulation (GDPR), we will focus on the overall factors you need to consider before it will be enforced. Not familiar with EU GDPR? Here is an introductory post presenting the 5 general aspects that you need to cover on your way to compliance.

To find out more about the specific activities that need to be done on the lead up to when the GDPR is enforced, we’ve analyzed the activity of a few libraries and had a chat with Anna Ersdotter from Hammaro Library. Follow these 8 activities with examples from libraries around you and make all the changes at your library before May 25^th.

1. Finish your documentation on personal data processing

To demonstrate your compliance, the entire process needs to be documented and easy to prove in case an audit is required. Anna Ersdotter explains during our chat with her that at her library they are “writing documentation on everything regarding personal data. Library loans are considered personal data, and depending on what loans we record, we can also have sensitive personal data. Thus, we must have a watertight documentation on how we protect everything. Apart from loans, we also process different contact information (address, phone, email) as well as “personnummer”, a Swedish ID number.”

Therefore, the library needs to offer a clear overview of how, why and when, the library systems collect, store, use, disclose, manipulate and delete personal data.

2. Design a process that will get clear consent from the user

User consent is one of the 6 legal basis for processing data and, other than a contract, consent is absolutely necessary for legal reasons when collecting data as it offers a clear overview of what the user agreed to.

Anna adds that “it also means we have a signed agreement with all users, so if there ever should be a disagreement, it’s easy to go back and look at the signed document. Users need to show identification in order to get a library card, and that card is from that point considered as an identification as well.”

3. Focus on the users and their protection

Anna highlights “GDPR means that our users will have an even greater possibility to control their data than they have today”. Indeed, the main objective with the GDPR is to create a standard for consumers’ privacy online.

The new regulation will offer EU citizens more control over the relationship they have with an institution. Libraries must adapt to this change so that “they will be able to contact the users when needed (reminders, messages that the book they’ve ordered have come in, and in unfortunate events to send bills) and to guarantee that only the user is the one with the ability to access their loans.”

4. Get your privacy policies and notices in place

Informing your users of your privacy policy and their rights is another rule that is being enforced by the GDPR. As an example, Essex County Council has recently updated their privacy policy and as specified on their website, “the Privacy Notice explains how we use information about you and how we protect your privacy”. So, in accordance with the GDPR, it includes:

– the reasons why they use the personal and sensitive data

– what the users can do with the information they provided

– with whom the library is sharing the data

– how the library protects the information

– for how long they keep the personal data

– contact information for the Data Protection Officer

5. Refine the internal processes for data processing

After defining the way you process data at the library, implementing the needed changes in the library’s internal processes is an important next step. Anna tells us “It differs from staff and users. Now the staff needs to log in with a personal account to have access to the database, making it possible to see who looked at who’s account and when”. Something critical to also consider is who has access to the user’s data and whether the staff that can currently see user’s data, should be able to once GDPR is enforced.

Another change in these processes is related to how long you store data. For example, University of East Anglia has decided to anonymize all the loan records older than 10 years and the requests older than 7 years and further use it for statistical or analytical purposes.

6. Involve the whole library in the process

Being compliant with the GDPR is a task for everyone. It is not just the responsibility of the Data Protection Officer, but extends out to the IT department, library assistants and every other person involved too.

It is also not exclusive to the location where you are based, but again reaches out to everyone in your organization. If you are one of a number of libraries in the area, then it is everyone’s responsibility to ensure that the libraries are compliant as a whole.  Anna also emphasizes this point: “my library is part of a cooperation together with 15 other municipalities in Sweden. All 16 of us work together on this.”

7. Educate your users about data protection

Even though the GDPR affects all EU citizens, reports done in the past two years show that there are still many businesses who barely know about the GDPR and this offers the library a new topic to share knowledge about. On one hand, the citizens need to be informed on their new rights online and on the other hand, businesses need to learn how to respect these rights.

By simply adding new materials at the library focused on GDPR and data protection or by offering workshops and trainings on this topic, the library can become a source of information, so people can learn what data protection means under the new regulation.

For example, ACUTEC (an IT company in Birmingham) recently organized a GDPR workshop at the Library of Birmingham with the aim to provide the information on the GDPR to raise awareness.

Amy is kicking off our GDPR event for Non-profits at the library of Birmingham #GDPRNFP pic.twitter.com/kQAkgLMERT

— ACUTEC (@ACUTEC_UK) November 14, 2017

8. Verify what your data processors are doing to become GDPR compliant

Like any other institution, a library usually uses a handful of third-parties for data processing (library management systems, printing solutions, website providers, etc). For GDPR to work, it is important that every party plays its role.

Accordingly, as a data controller, the library will have an active obligation to obtain a data processing agreement from each processor, review the contractual terms of all the processors and continuously ensure compliance. In addition, the library must determine whether the data processors are compliant with the GDPR.

To conclude, once you have identified all the data that you process and you have outlined the grounds on which you can legally process it, implementing the needed changes in your internal processes at the library does not need to be a difficult task.

We will be back next week with another interesting article! Subscribe to the Princh blog to receive insights from libraries around the world directly in your inbox.

Please note: The information offered through this blog post is for guidance only to help you better understand the GDPR. We don’t provide legal advice and we suggest that you consult with a qualified legal professional for advice on your interpretation of the GDPR.

Do you feel ready for GDPR at your library? #libraries #librarians #GDPRready

— Princh (@PrinchApp) April 20, 2018