Scott Macdonald outlines the European data law – and potential repercussions and solutions for organisations around the world
We all saw it happen — around the middle of May, our inboxes started filling up with emails from organisations we’d interacted with in the past, all of them wanting to inform us about changes to their privacy policies.
Around the same time, a number of major global news websites changed their subscription policies or their user interfaces, or even went dark in many countries. Years from now, we may look back on 25 May 2018, as one of the most important dates in internet history, all because a law that affects virtually every company and institution with a website went into effect in the European Union (EU). This law is called the General Data Protection Regulation, or GDPR. Under GDPR, EU citizens everywhere in the world have their personal data protected by perhaps the strongest privacy regime in the world.
Considering GDPR — personal data and individual rights
The European Union approved this new data privacy law in 2016, establishing 25 May 2018, as a deadline for global companies to adopt GDPR compliance. Over the last few months (or years, in some cases), companies have been scrambling to meet the 25 May deadline. And for good reason. The internet wasn’t designed with security and privacy in mind. As the technology has evolved and the internet has become more capable of shaping the way we communicate and share knowledge, librarians and library patrons have begun to raise questions about the security and privacy of their online data. GDPR is an important initiative to help address these concerns, heightening awareness and tightening approaches around privacy and security.
Just about every institution and organisation worldwide should be paying attention to GDPR. While the regulation stems from Europe and is intended to protect the privacy rights of European citizens, it applies to Europeans no matter where they may live – or which library they may visit.
GDPR specifies a set of personal data rights for every EU citizen, creating obligations for every organisation that processes data about these individuals. Every citizen has the right to view data that an organisation has stored about them, to correct that data, and to erase that personal data – the so-called 'right to be forgotten'. In addition, individuals can request to download portable copies of all their data in a format that would allow that data to be uploaded to other companies. Finally, organisations can only process personal data from individuals who have given informed consent, and individuals can withdraw their consent at any time.
Informed consent is a strong requirement. It’s caused many companies, including publishers, to reconsider how they disclose privacy and data processing policies. For instance, many sites have long disclosed their privacy and data processing policies in web page footers accompanying language stating: 'By using the site, you agree to these terms.'
The actual language of GDPR states that consent must be 'freely given, specific, informed and unambiguous' [Recital 32].
The concept of freely-given consent also stands to have a substantial impact on the way many internet services operate. The GDPR text goes on to say: 'Consent should not be regarded as freely given if the data subject…is unable to refuse or withdraw consent without detriment.' [Recital 42] Many internet services have always required consent to their policies as a precondition for use of their services. Within the first few minutes after the new GDPR law went into effect, privacy advocates filed lawsuits that seek to determine whether this kind of consent is still lawful.
These changes to consent rules have been the major driver of those new privacy terms disclosure messages we’ve all been receiving.
So how can we comply with GDPR? Libraries have many of the same data usage patterns as EBSCO Information Services (EBSCO) does, at least on e-resources. Here’s how EBSCO prepared for GDPR.
Review the law with counsel: We selected a team to work with legal counsel to determine what we believed the law required us to do. That included reviewing GDPR’s definition of personal data and determining which kinds of data in EBSCO systems meet those criteria.
Data and data flow analysis: With that definition in hand, a team of technologists and business experts reviewed the EBSCO system catalog and documented occurrences of personal data, wherever it was stored and everywhere it moved between systems. The purpose of this analysis was to ensure that EBSCO can deliver on those individual rights – to collect consent from every user before storing or processing any personal data, and to allow users to review, correct, erase, and download their data.
Choosing approaches: One of the first decision points with any instance of personal data was to determine whether we could just avoid capturing or handling it in the first place, a process called minimisation. Minimisation reduces both the effort to bring a resource into compliance as well as potential security risks down the road. Compared to many companies, EBSCO doesn’t track or store much user data. When we do, it’s generally directly related to a user benefit, such as stored preferences or note-taking. In these cases, we wanted to make it easy for the user to tell us what that data was, and to erase it if the user asked us to.
Design and implementation: EBSCO updated many systems to attain GDPR compliance. We had to create versions of the consent and data management screens that were available in many languages. We had to spend a lot of time testing the flexibility and customisation of core services. This work had to be complete before a hard deadline – GDPR was scheduled to go into full force on 25 May 2018, and we wanted to complete the work and flip the switch that turned it on before that date.
Before an EBSCOhost or EBSCO Discovery Service user performs an action that requires us to store personal information, like registering for an account or storing notes about an article, our privacy tools make sure to disclose which information is stored, how it is processed, and give the user the ability to decline that usage. The account management tools also give the ability to withdraw consent, to download all information that EBSCO has stored about the user, to edit that information, and to erase it. There’s no need to interact with customer service; users have full control of their data, accessible directly from the interfaces with which they’re already familiar.
GDPR compliance and the library
In many ways, the compliance process for libraries will be similar. The first step, again, will be to review the law and current policies to determine what will need to change.
In order to come into compliance, libraries will want to take particular care to ensure that their partners are taking similar care with their own obligations. Prepare a checklist that enumerates the points of compliance, such as informed consent and the data rights of individual to review, correct, download, and erase their personal data. Can partners effectively store and manage policies and consent without bombarding users with updates and re-registration requests? Library users don’t enjoy those e-mails any more than librarians do.
Libraries in the United States can look at GDPR compliance as a choice, unlike their counterparts in the EU. However, even for US-based libraries, there are reasons to strive for GDPR compliance.
Some of these reasons may seem purely pragmatic. GDPR’s scope is not limited to the physical boundaries of the countries of the European Union. Since GDPR protects EU citizens everywhere in the world, institutions that serve significant international populations may see an obligation to protect those constituents’ data. Consider how the EU regulatory practice for privacy has been a model for most of the world since the earlier Data Protection Directive was enacted in 1995. If history is any guide, complying with GDPR will prove an effective roadmap for compliance with future regulations from other countries.
Perhaps the most important reason for compliance, though, isn’t driven by fear of penalties, of fines or legal fees, or risk to reputation. As Article 1 of the GDPR states: 'The protection of natural persons in relation to the processing of personal data is a fundamental right.' By giving users the ability to decide how their data will be used and by being transparent about how they’re using personal data, organisations aren’t just managing their own risk. They’re helping individuals feel safe and in control of their own personal data and confident when they use compliant services. In short, we’re giving users a better experience and building trust with our communities.
Scott Macdonald is vice president, information security and operations at EBSCO Information Services