Analysis and news

GDPR’s impact reaches way beyond the EU Scott Macdonald outlines the European data law – and potential repercussions and solutions for organisations around the world

where they may live – or which library they may visit.

We all saw it happen — around the middle of May, our inboxes started filling up with emails from organisations we’d interacted with in the past, all of them wanting to inform us about changes to their privacy policies. Around the same time, a number of major global news websites changed their subscription policies or their user interfaces, or even went dark in many countries. Years from now, we may look back on 25 May 2018, as one of the most important dates in internet history, all because a law that affects virtually every company and institution with a website went into effect in the European Union (EU). This law is called the General Data Protection Regulation, or GDPR. Under GDPR, EU citizens everywhere in the world have their personal data protected by perhaps the strongest privacy regime on the planet.

Considering GDPR — personal data and individual rights The EU approved this new data privacy law in 2016, establishing 25 May 2018, as a deadline for global companies to adopt GDPR compliance. Over the last few months (or years, in some cases), companies have been scrambling to meet the 25 May deadline. And for good reason. The internet wasn’t designed with security and privacy in mind. As the technology has evolved and

the internet has become more capable of shaping the way we communicate and share knowledge, librarians and library patrons have begun to raise questions about the security and privacy of their online data. GDPR is an important initiative to help address these concerns, heightening awareness and tightening approaches around privacy and security. Just about every institution and

organisation worldwide should be paying attention to GDPR. While the regulation stems from Europe and is intended to protect the privacy rights of European citizens, it applies to Europeans no matter

18 Research Information August/September 2018

GDPR specifies a set of personal data rights for every EU citizen, creating obligations for every organisation that processes data about these individuals. Every citizen has the right to view data that an organisation has stored about them, to correct that data, and to erase that personal data – the so-called ‘right to be forgotten’. In addition, individuals can request to download portable copies of all their data in a format that would allow that data to be uploaded to other companies. Finally, organisations can only process

personal data from individuals who have given informed consent, and individuals can withdraw their consent at any time.

“GDPR specifies a set of personal data rights for every EU citizen”

Informed consent is a strong

requirement. It’s caused many companies – including publishers – to reconsider how they disclose privacy and data processing policies. For instance, many sites have long

disclosed their privacy and data processing policies in webpage footers accompanying language, stating: ‘By using the site, you agree to these terms.’ The actual language of GDPR states that

consent must be ‘freely given, specific, informed and unambiguous’ [Recital 32]. The concept of freely given consent

also stands to have a substantial impact on the way many internet services operate. The GDPR text goes on to say: ‘Consent should not be regarded as freely given if the data subject… is unable to refuse or withdraw consent without detriment.’ [Recital 42] Many internet services have always required consent to their policies as a precondition for use of their services. Within the first few minutes after the new GDPR law went into effect, privacy advocates filed lawsuits that seek to determine whether this kind of consent is still lawful.

These changes to consent rules have been the major driver of those new privacy terms disclosure messages we’ve all been receiving. So how can we comply with GDPR?

Libraries have many of the same data usage patterns as EBSCO Information Services (EBSCO) does, at least on e-resources.

Here’s how EBSCO prepared for GDPR Review the law with counsel: We selected a team to work with legal counsel to determine what we believed the law required us to do. That included reviewing GDPR’s definition of personal data and determining which kinds of data in EBSCO systems meet those criteria. Data and data flow analysis: With that definition in hand, a team of technologists and business experts reviewed the EBSCO system catalog and documented occurrences of personal data, wherever it was stored and everywhere it moved between systems. The purpose of this analysis was to ensure that EBSCO can deliver on those individual rights – to collect consent from every user before storing or processing any personal data, and to allow users to review, correct, erase and download their data. Choosing approaches: One of the first decision points with any instance of personal data was to determine whether we could just avoid capturing or handling it in the first place, a process called ‘minimisation’. Minimisation reduces both the effort to bring a resource into compliance and any potential security risks down the road. Compared to many companies, EBSCO doesn’t track or store much user data. When we do, it’s generally directly related to a user benefit, such as stored preferences or note-taking. In these cases, we wanted to make it easy for the user to tell us what that data was, and to erase it if the user asked us to. Design and implementation: EBSCO updated many systems to attain GDPR compliance. We had to create versions of the consent and data management screens that were available in many languages. We had to spend a lot of time testing the flexibility and customisation

@researchinfo |

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40
Produced with Yudu -