18 Jun 18 EU-GDPR Frequently Asked Questions
What does EU-GDPR (or GDPR) stand for?
European Union – General Data Protection Regulation
What is GDPR?
The General Data Protection Regulation (GDPR, also referred to as ‘the regulation’) is a legal framework that sets guidelines for the collection and processing of personal information of individuals whose self-selected primary residence is within the European Union (EU).
When did regulation go into effect?
The Regulation went into effect on the 25th May 2018
What kind of information does the regulation apply to?
The GDPR defines personal data in Article 4 as: “… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity…”
What companies does the regulation apply to?
Any organization which processes and holds the personal data of data subjects (Individuals) with self-selected primary residence in the EU will be obliged to abide by the regulations set out by GDPR. This applies to every organization, regardless of whether they themselves reside in one of the EU Countries.
Are all types of personal data classified the same in the regulation?
GDPR identifies a special class of sensitive personal data, which includes things such as genetic, biometric, religious or philosophical beliefs, sexual preferences or details, health, and Ethnic information.
Is there an exception for Associations like the ALA?
The regulation in Article 4(18) specifically includes associations.
How many ALA members are in the EU?
As of 6/13/2018 there were 147 identifiable members in the EU or 3 tenths of a percent of ALA’s members. Additionally, ALA collects personal data on non-members.
What is the ALA doing?
Based on legal counsels advice we have updated ALA’s Privacy Policy on the website and have created a Personal Data Notification statement that is being added to forms. ALA is forming a staff steering committee that will be working on the following:
- Create FAQs and procedures regarding implementing policies for staff.
- Review and understand the GDPR’s key components that relate to the ALA with assistance from our legal counsel.
- Draft language for a notification of a data breach and articulate process for implementing the notification.
- Formulate and document the Data Processing Agreement (DPA) process that all units in ALA should follow. This will include anyone who manages/keeps the master list of ALA vendors and DPAs completed (either sent or received). Send DPA’s out to current vendors to amend to their contract.
- Identify and document all areas within ALA (includes data stored outside of ALA on its behalf) where personal data is entering, leaving, and being stored (Data Flow Mapping).
- Draft policies for senior management review that comply with GDPR regulations on data usage, data sharing, and privacy.
- Create a Gap Analysis against current known practices vs approved GDPR requirements and ALA policies.
- Advise senior management on GDPR issues.
More information on the staff steering committee and its work will be shared with staff when it is available.
What about information specifically on GDPR for libraries/librarians?
https://americanlibrariesmagazine.org/blogs/the-scoop/future-data-privacy/
https://www.oif.ala.org/oif/?p=12363
https://acrl.ala.org/techconnect/post/introducing-our-new-best-friend-gdpr/
Where should I go for more additional information?
Who should I ask ALA questions about GDPR to?
Questions about GDPR should be directed to Brian K. Willard
