August 2, 2018

Looking at GDPR in a more positive light

Over the past few months, you may have noticed a flurry of pop-ups and emails announcing updated Terms of Use from various companies and organizations you deal with on the web. This is due to the fact that many of them are scrambling to be compliant with the new EU-inspired General Data Protection Regulation (GDPR) which went into effect at the end of May.

The key goals of GDPR are to bring more transparency to the use of individual personal data and to provide an individuals with more control of their data. It specifically applies to any organization that collects data from EU citizens or those residing in EU countries (a visiting professor or student abroad).

An organization’s practices and responsibilities related to GDPR compliance have been detailed fairly broadly on the web. Even the ACRL has provided some guidance. So, rather than cover the same ground, I have listed a few of the sources that I have found useful (and, dare I say, fun) at the end of this blog.

The good news is that these new regulations aren’t applicable to libraries in North America except in rare cases. Canadian librarians are already familiar with the Canada Anti-Spam Legislation (CASL) which in many ways presaged GDPR, but GDPR goes beyond what CASL requires.

That being said, my thoughts go to how we might embrace some of the changes that are implied by GDPR policies…creating more transparent and collaborative practices that, in the end, make our relationships with our customers stronger.

So, here’s some of the implications of GDPR and how they we might have us think a bit differently:

Think more broadly about personal data

The GDPR definition of personal data is fairly broad and doesn’t end with birthdays or street addresses. It includes all information relating to an individual including online identities and indirect information such as economic, cultural or social data you might collect. There’s no distinction between work and private lives. We should be thinking more broadly when we say “personal data” and not draw artificial boundaries that might offer convenience (“We only have to worry about the ILS”).

Get organizational about privacy

The GDPR calls for many organizations who are in the business of collecting data (like Facebook) to identify a Data Protection Officer (DPO). And, unless your library’s core activities “involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals” (which they don’t), I wouldn’t expect that this level of requirement would be imposed on your organization. However, this may be a good time to consider designating someone as a de facto DPO or at least, at some level, identifying someone or some department within your organization with the responsibility of thinking holistically about personal data management and compliance. As long as someone is tasked with this role and the matter is given some management attention, my sense is that gaps will get filled and your library will progress down the path of improved practices.

Consent discipline and the ability to be forgotten

Individuals whose data is being collected must give consent for the use of this data. Consider how and when this information is obtained. Consent does not need to be explicit, it can be implied from the person’s relationship with the library and it should be obtained for specific and legitimate purposes. You might want to consider documenting procedures for how and when consent is obtained. Finally, consider how proactive and frequently you might want to confirm consent. At Patron Point, our Anniversary program can be configured to confirm consent and preferences on a yearly basis or whatever frequency you prefer.
One aspect of the GDPR that’s received a lot of attention is the ability of an individual to be “forgotten”. Having policies and practices that support withdrawn consent at any time and appropriately manage data no longer required (for the reasons it was collected) would be a healthy addition to any standard operating procedures.

Erring on the side of transparency

There’s a well-publicized list of information that should be disclosed when collecting a user’s data. None of the information is beyond reason and in most cases, much of this information is probably already included in your website’s Privacy Policy or Terms of Use statements. Consider reviewing those terms and policies and making sure they’re current, accurate and clear.

I mentioned good news earlier. The better news is that from everything I’ve seen and heard, the discipline that libraries have already self-imposed and how most libraries use their users data should be little cause for concern for most patrons. That being said, the implementation of the GDPR “across the pond” might be a good time to take a fresh look at practices that may have become stale over the years and give us the opportunity to improve our stewardship of our users’ personal data.

Shimshock Out.

Select Sources:

European Commission, Rules for Business and Organizations, European Union (Accessed July, 2018)
Bob Yelland, EU General Data Protection Regulation – How it Works, A Little Bee Book, adapted from a variety of sources, IBM (Accessed July, 2018)
Margaret Heller, Keeping Up With…General Data Protection Regulation (GDPR), Association of College and Research Libraries, division of American Library Association (Accessed July 15, 2018)

Leave a Reply

Your email address will not be published. Required fields are marked *