GDPR interview with Anne Gilliland, Scholarly Communications Officer, University of North Carolina

As part of an ongoing series on General Data Protection Regulation (GDPR), the RMS Steering Committee virtually met up with Anne Gilliland of the University of North Carolina to ask her questions regarding GDPR and records management. See her answers below! Please comment or send me comments/ questions at jgd1(at)williams(dot)edu! Thank you, Anne!

1.What are the risks of not being in compliance with GDPR for EU researchers in the United States?

I’m not sure if you mean researchers who are from EU countries who are conducting research in the U.S. or if you mean researchers in the U.S. who are conducting research about Europe or in Europe.  Regardless, there are likely to be some implications for most of these categories because GDPR applies to all EU residents and citizens. This means that the GDPR covers, for example, students from the U.S. who are studying in EU countries and citizens of EU countries who are residing in the U.S. 

I’ll give an equivocal, lawyer-like answer about risk—the risk for noncompliance is going to be very dependent on many factors—but I will discuss potential penalties under the GDPR.  In the worst case, fines can go up to 4% of a company’s annual turnover or 20 million euros—whichever is higher. In addition, the GDPR includes a private right of action, so that an individual may sue and recover damages or remedial action from a privacy breach.    

All that said, the GDPR has special carve-outs that privilege researchers and research endeavors.  For example, once researchers get consent from subjects to collect data for a particular study, the law does not require them to go back to the subjects for another round of consent before they analyze the data for additional studies.  The International Association of Privacy Professionals has a good overview of the GDPR’s exceptions for research.  

The conventional wisdom has been that the GDPR is aimed at the largest companies, such as a large fine levied at Google in France for violations in early 2019; however, there are still many good reasons for working toward compliance.  One is that as the GDPR’s requirements become the norm, enforcement is likely to increase.  Another is that many people, and I am one of them, believe that the GDPR’s requirements are representative of the kind of privacy laws that are likely to be enacted in the future.  And finally, the GDPR requirements embody the kinds of holistic care for privacy that we, who work for libraries and cultural institutions, should be eager to extend to our users.  

2. Can you speak about data brokering, privacy policies with library databases, and subscription services and the sharing and monetizing of this information?

It’s a worry.  I certainly have a lot of concerns in that area.  We may conform to laws and ethical standards of patron confidentiality in the records we keep, but what about the vendors whose products we license?  We do try to exert some control by incorporating our vendors’ privacy policies into the contracts we sign rather than allowing vendors to change these policies at will.  Nevertheless, there are many situations where we don’t know what information vendors have collected from our patrons, or what they have retained, sold, or reused.  

3. Are there GDPR implications for storing electronic records? For instance, using a third party vendor in Europe?

Yes, the GDPR has regulations intended to safeguard the storage and transfer of records, notify subjects when their personal information is transferred, and for the repair of damage from data breaches.  Third party storage needs to have appropriate, approved safeguards. Records may be transferred outside the EU, but only to entities with approved methods of storage and handling and with mandatory disclosures to people whose data will be transferred.  

4. With increased reliance on centralized databases to manage patron information and public services, and with the promise of more accurate business intelligence, how can we be in better compliance with GDPR? What about transparency?

When businesses collect data about individuals, the GDPR requires that the companies obtain affirmative consent from the subjects, instead of the opt out routines we often see with U.S. privacy notices.  Additionally, the GDPR requires that businesses only gather the minimum amount of data necessary and keep it for a limited time. Until recently, business intelligence systems have gathered as much data as possible and have kept it as long as possible.  It appears likely that these systems will need to be retooled for a different environment going forward, and these companies will need to re-define their collection and retention use cases. 

5. What are small steps information professionals can take to be in compliance of GDPR? For example: cookie banners or clear articulate terms of services.

These small steps are good; however, I think that ultimately the GDPR demands a more comprehensive approach that should be beneficial but won’t be small or easy.  Many organizations are starting by doing a census of the data they collect, why they collect it, how long they keep it, and where and how it is stored. For a lot of entities, that’s not particularly easy, but it’s a crucial, early step.  

6. Is there an American equivalent of GDPR on the horizon?

Certainly, some people think of the California Consumer Privacy Act  as the U.S. equivalent of the GDPR.  It is like the GDPR in that it includes a private right of action and more comprehensive rights and remedies for consumers, but it is not as all-encompassing as the EU law.  Privacy laws throughout the U.S. are often called a patchwork, and I think that’s absolutely correct. In this piecemeal situation, privacy laws that populous states, such as California and Texas, have enacted tend to become de facto benchmarks. It will be interesting to see how U.S. laws develop, because, currently, many states are introducing and considering new privacy laws.  The International Association of Privacy Professionals has an interesting chart that shows the status of legislation in each state and the features of each law or proposed law.  

7. Any reading recommendations on GDPR?

Many!  I find the information from the International Association of Privacy Professionals and from law professor Daniel Solove especially helpful. Many of the books and articles that Solove has written or co-authored have shaped my understanding of privacy law in general. 


GDPR Primer

A few weeks ago, Chuck Piotrwoski of PIOT presented a great webinar on the General Data Protection Regulation (GDPR).  Although we weren’t able to record the session, he kindly provided his slides for sharing.

Chuck broke down GDPR into several basic principles:

  • data about a person belongs to the person
  • an organization can only work with personal data if permitted by law or with the consent of the individual

GDPR builds on the European Union’s 2007 Charter of Fundamental Rights, in which Title II (Freedoms) addresses privacy concerns:

Title II of 2007 Charter of Fundamental Rights

Chuck explained that GDPR protections applies to organizations that handle the personal data of EU individuals, regardless of where the organization is located.  For instance, if a researcher from Oxford pays for a scan from a U.S. archive, the personal data collected for this transaction is protected by GDPR.  Here’s the list Chuck provided of examples of personal data that are protected:

GDPR personal data

Chuck suggested all organizations begin with four basic tenets:

GDPR tenets

If you’re interested in gauging your situation, Chuck pointed to a data protection self assessment provided by the UK’s Information Commissioner’s Office.

Here are the most important points I took away from this webinar:

  • Integrating data privacy training into overall organizational training is more effective than specialized training because it’s more likely to get embedded into how people work.
  • Consent by individuals to collect personal data must be explicitly given — an opt-in model rather than the opt-out model frequently embraced in the U.S.
  • The process must be easy for individuals to withdraw their consent for an organization to hold personal data.
  • An organization must explain why it is collecting personal data.
  • There are currently no flawless automating tools for removing personal data.
  • Data erasure can be refused if the public good outweighs the need for privacy.

If you work for an organization that would be affected by these regulations, you may want to look at the To Do section of the slides Chuck provided.  He also listed some other resources at the end of his presentation.  Thanks for the great learning opportunity, Chuck!