Is your library GDPR compliant? Read on to find out more about these new regulations and how they may impact your library.
What is GDPR?
In 2016, the European Parliament passed sweeping legislation to provide citizens with a greater level of control over their personal data and require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Companies and organizations were given two-years to get in compliance with the new regulations or face heavy fines. May 25, 2018 is the date that GDPR goes into effect.
What are the new regulations?
There are several main changes that companies must now follow. If they are not in compliance they will be fined 4% of annual global turnover or €20 Million (whichever is greater).
- Breach Notification: Companies must notify users within 72 hours of a data breach.
- Right to Access: Everyone has a right to their own information. If requested, personal data must be turned over, free of charge, in an electronic format.
- Right to be Forgotten: If there is information about you online that is harming you then you can request to have it removed. Companies will have to take into account the public interest in the information.
- Data Portability: Companies need to provide your personal information to you in a commonly used and machine readable format that can be transferred to another service.
- Privacy by Design: When designing services (e.g., websites, apps), businesses must consider how to keep user information protected. It should be built into the design, not an afterthought.
- Data Protection Officers: All companies must assign someone to be responsible for overseeing their data protection strategy and compliance with GDPR requirements.
Who does this effect?
Due to the Right to Access provision in GDPR you can now request a copy of all the data a company has collected about you. Sometimes this has to be done in writing, while others are starting to roll out instant downloads.
What privacy regulations do we have?
Why does this matter to public libraries in the United States?
Don’t go and hit the panic button at your library if you are not in compliance. Those of us who only serve patrons living in the United States do not have to follow these regulations. However, GDPR effects many of our library vendors who have customers in the EU. That is why you’ve seen many of them updating their policies and procedures to be in compliance with the new regulations.
Most major internet companies have customers in the EU meaning they have to be GDPR compliant or face large fines. Anyone who goes online will now have more control over their personal information and hopefully have better safeguards in place to protect their data. Although we do not have to be in compliance with GDPR for our data, many of your patrons will likely have questions about it. Understanding the basics will help staff build patrons’ privacy literacy and feel comfortable with the changes they’re seeing online.
Libraries also have an ethical responsibility to act as privacy havens for our patrons. We can learn from GDPR by conducting our own internal privacy audits to ensure we, and our vendors, are protecting patron data. Get started today by checking out all the fantastic resources on ALA’s Choose Privacy Week website.