• GDPR compliance for libraries

GDPR compliance for libraries – 5 general aspects that you need to cover

Did you know that any EU-based organizational entity and any non-EU organization that processes personal data of EU citizens will be affected by the EU General Data Protection Regulation (GDPR) ? The new regulation will offer EU citizens more control over the personal data they share with a company within the EU or outside of it.

Since libraries work mostly with users and process their information, they also need to be GDPR compliant.

Where to start?

Organizations are still figuring out what it entails as there is no standard framework on how to become GDPR compliant, but here are 5 general aspects that you need to cover now:

GDPR compliance for libraries – 5 general aspects that you need to cover

1. Get familiar with the GDPR

There are many resources online outlining the regulation, such as the eugdpr.org website – a resource to educate the public about the main elements of the GDPR, or online courses that help you get a better understanding of how to become GDPR compliant.

The IFLA briefing on the impact of the GDPR highlights that you must be aware of the specific exemptions from the law that might apply to the library. Getting legal advice and discussing with the policy makers regarding the impact of this new regulation for the library and its users is not only helpful but it is essential. However, it all depends on each library’s budget and resources.

Getting legal advice and discussing with the policy makers regarding the impact of this new regulation for the #library and its users is not only helpful but it is essential. #GDPRinlibraries #GDPR Click To Tweet

In our dialogue with many libraries using Princh, we’ve become aware that some have had very limited means to figure out what the implications of the updated GDPR can have for their library. Therefore, we’ve teamed up with a few experts and we’re writing a small series of blog posts that will focus specifically on how libraries can ensure GDPR compliance. So, stay tuned!

2. Identify what personal data you are processing at the library

As the library’s main activity is to offer services to the citizens, you most probably are in control of their personal information. As per art. 4 of the regulation, personal data is defined as “any information relating to an identified or identifiable natural person”. It can be basic identity information, such as a name, phone number, address, etc. Or basic online identifiers such as email addresses, cookies, IP addresses or, as the article suggests, more specific information related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

You can start by listing all the user data you have access to in your current activities (physical or digital). Once finished, you can decide what data contains personal information. Don’t forget to include the data that is processed internally, but also the external data processed by third-parties such as cloud solutions and suppliers. You will be held accountable for any personal data breach affecting the library users.

Having an audit of all the data that the library is collecting and processing through its activity is a great starting point in creating an action plan for becoming GDPR compliant.

Having an audit of all the data that the #library is #collecting and #processing through its activity is a great starting point in creating an action plan for becoming #GDPR compliant. Click To Tweet

GDPR For Libraries – Identifying The Personal Data You Are Processing [Data Map Template]

For inspiration in  identifying the personal data you are processing, check out this free data map template >>

3. Define how you handle the personal data at the library

Now that you are aware of all the data you are collecting through all your activities and the sources where it comes from, you can easily establish the reason why you need this data and why it is useful for the library’s activity. Decide what you actually need to store and for how long. To demonstrate compliance with the regulation, the library must update the data protection policies and have in mind the principles relating to personal data processing and most importantly the rights of the data subjects.

Decide what you actually need to store and for how long. #userdata #GDPR #libraries #usersecurity Click To Tweet

– Right of access. The users have the right to know how their data is processed and they also have the right to access it.

– Right to rectification. The users have the right to update any inaccurate personal data that the library may possess.

– Right to erasure. The users also have the right to be forgotten and they can request at any time the deletion of the personal data.

– Right to restriction. The users have the right to restrict the processing of data in some case.

– Right to data portability. Now the users also have the right to receive and transfer the data to another organization.

– Right to object. Finally, the users can object the processing of their personal data unless the controller demonstrates compelling legitimate grounds for it.

Therefore, whenever you are collecting personal data, you must make sure that you receive the consent for using it and at the same time to make sure that all the library’s policies (privacy policy, terms and conditions policy, cookie policy, etc.) are easily accessible for the users.

GDPR compliance for libraries.

4. Implement appropriate measures

After identifying all your data and getting your policies right, it is time to implement the identified changes in your internal processes at the library. As the regulation states, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.

The main goal of this stage is to enforce the data protection rules around the data you are collecting.

Enforce the data protection rules around the data you are collecting. #GDPR #libraries #user #dataprotection Click To Tweet

Given the rising number of cyber-attacks and data leaks, the GDPR makes it as a necessity for you to put in place some procedures to prevent, monitor, detect and report any attack or security breach. Taking some technical measures and training staff to pay attention to this issue is essential because according to the new regulation, the library has 72 hours to report a breach and to inform the user.

5. Demonstrate your compliance

Now that you have the policies in place, it is time to document the processes and explain your approach regarding the privacy and security of your activity. Prepare for audits and for users wanting to access, rectify, erase or move the data.

The designation of a data protection officer (DPO) is needed since the library is a public authority which processes data. The DPO’s main task is to be the contact point between the supervisory authority and the controller and the processor.

The designation of a data protection officer is needed since the #library is a public #authority which processes data. #GDPR #libraries #dataprotection Click To Tweet

Ultimately, think of the GDPR compliance as a continuous activity for the library as it is not a project that can be completed at some point. It is vital to be aware of what’s happening at the library and keep logs, so you are ready to report any security breach.

Think of the #GDPR compliance as a continuous activity for the #library as it is not a project that can be completed at some point. #dataprotection Click To Tweet

The EU General Data Protection Regulation will come in force in May 25th 2018 and for the next 4 months, we will dedicate a small series of blog posts where we will share everything we learn to help you in your process to become GDPR compliant. Enter your e-mail address above to receive news from us. You can also find us on Facebook and Twitter.

EU GDPR will take effect on May 25, 2018

Recent posts

1902, 2019

Public Libraries From 2020 to 2030 – Connect, Innovate, Advocate

Connect.  Innovate.  Advocate.  These are the three words we chose that sum up our ambitions for the newly launched Public Libraries 2030 [...]

1402, 2019

Measuring Outcomes in Public Libraries – Insights from Darren Smart

This blog post outlines the whys and hows of measuring outcomes for public libraries and has been developed from the introductory presentation [...]

By | 2018-12-17T14:59:34+00:00 February 9th, 2018|Library Technology, Most Read, Public Libraries|3 Comments

About the Author:

Petra is a library advocate at Princh and writer of the Princh Blog. Princh, which is a printing solution designed specifically for and with public libraries, makes a consistent effort to provide advocacy for libraries and library professionals. The Princh blog discusses library specific topics that inform their readers of library trends, insights, technologies and more.


  1. Grant Trotter February 16, 2018 at 16:31

    For the US and North American markets, GDPR compliance is becoming quite challenging as companies are struggling immensely with scoping issues and documentation issues. More specifically, I’m finding that controllers and processors are unclear at times as to what’s in scope, then further challenged by the complete lack of policies and procedures in place. I look at GDPR compliance as a two-fold process, and that’s (1). Putting in place the actual processes and best practices, and then (2). Documenting such processes and practices with well-written, factual policies and procedures.
    The amount of time and money that organizations are spending on policy creation, along with acquiring additional tools for GDPR compliance is quite staggering, but again, it’s got to be done. Hopefully, as time passes the EU will provide better guidance on many of the articles that are currently somewhat vague. This has been done to obviously account for the large number of industries that need to become compliant. Well, good luck to everyone’s GDPR compliance issues and do all you can for meeting the deadline of May, 2018.

  2. Malcolm Storey July 29, 2018 at 11:11

    Presumably it was never meant that GDPR would apply in this way, but the authors of books are named on their spines, photographs in books are credited, many biographies contain personal details (of varying veracity) of identifiable still-living persons. Is there a GDPR exception covering this, or do you need to get permission from every author, photographer and person named in the books?

  3. […] داده‌های بزرگ با توجه به پیشرفت‌های فناورانه، طی فعالیت‌های اساسی افراد، داده‌های بیشتری تولید، ذخیره و تحلیل مجموعۀ داده‌های بزرگ[۱] می‌تواند یک مزیت واقعی برای کتابخانه‌ها محسوب شود؛ زیرا آن‌ها مهارت و دانش مورد نیاز برای استفاده از منابع عظیم اطلاعات را به بهترین شکل ممکن دارند. داده‌های بزرگ می‌توانند روند فعالیت‌های کتابخانه را به‌سادگی و با بررسی بینش ذهن کاربر (رفتار اطلاع‌یابی افراد) بهبود ببخشند. جینی‌مایز در مقاله‌ای در سایت publiclibrariesonline.org دربارۀ استفاده از داده‌های بزرگ در کتابخانه‌ها می‌گوید؛ «کتابخانه‌ها می‌توانند از هوش کاربران اصلی برای ایجاد ارتباط بهتر با جامعه، استفاده کرده و با تغییرات محیطی سازگار شوند». به علاوه، کتابخانه‌ها می‌توانند از داده‌های بزرگ برای شخصی‌سازی تجربۀ کاربر، با توجه به حفظ حریم خصوصی کاربران، استفاده کنند. برای مثال، برای پردازشگران داده‌های شخصی کاربران EU سازگاری با مقررات حفاظت از داده‌ها ضروری است. […]

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.