of core services. This work had to be complete before a hard deadline – GDPR was scheduled to go into full force on 25 May – and we wanted to complete the work and flip the switch that turned it on before that date.

The result Before an EBSCOhost or EBSCO Discovery Service user performs an action that requires us to store personal information, like registering for an account, our privacy tools make sure to disclose what information is stored, how it is processed, and give the user the ability to decline that usage. The account management tools also enable the user to withdraw consent, to download all information that EBSCO has stored about the user, to edit that information, and to erase it. There’s no need to interact with customer service; users have full control of their data, accessible directly from the interfaces with which they’re already familiar.

GDPR compliance and the library In many ways, the compliance process for libraries is similar. The first step, again, will be to review the law and current policies to determine what will need to change. | @researchinfo

To become compliant, libraries will want

to take particular care to ensure that their partners are taking similar care with their own obligations. Prepare a checklist that enumerates the points of compliance, such as informed consent and the data rights of an individual to review, correct, download and erase their personal data. Can partners effectively store and manage policies and consent without bombarding users with updates and re-registration requests? Library users don’t enjoy those emails any more than librarians do. Libraries in the United States can look at GDPR compliance as a choice, unlike their counterparts in the EU. However, even for US-based libraries, there are reasons to strive for GDPR compliance. Some of these reasons may seem purely

pragmatic. GDPR’s scope is not limited to the physical boundaries of the countries of the EU. Since GDPR protects EU citizens everywhere in the world, institutions that serve significant international populations may see an obligation to protect those constituents’ data. Consider how the EU regulatory practice

for privacy has been a model for most of the world since the earlier Data Protection Directive was enacted in 1995. If history is

“Freely given, specific, informed and unambiguous”

any guide, complying with GDPR will prove an effective roadmap for compliance with future regulations from other countries. Perhaps the most important reason for

compliance, though, isn’t driven by fear of penalties, of fines or legal fees, or risk to reputation. As Article 1 of the GDPR states: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ ‘By giving users the ability to decide

how their data will be used and by being transparent about how they’re using personal data, organisations aren’t just managing their own risk. They’re helping individuals feel safe and in control of their own personal data, and confident when they use compliant services. In short, we’re giving users a better experience and building trust with our communities.’

Scott Macdonald is vice president, information security and operations, at EBSCO Information Services

August/September 2018 Research Information 19


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40
Produced with Yudu -