OCLC's Hosted Products: GDPR Preparation and Partnering with Customers
In May 2018, the EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR will greatly affect the way companies process EU personal data, including OCLC and its customers.
OCLC is committed to taking the steps necessary to comply with the GDPR. Over the last year, OCLC's dedicated internal teams, made up of cross-functional stakeholders, have been working to address our GDPR readiness.
We recognize that compliance with the GDPR requires a partnership between OCLC and our partners and customers in their use of applicable OCLC services. Working together, we will continue to explore opportunities within our relevant service offerings to assist our customers in meeting their GDPR obligations as data controllers. In the meantime, OCLC encourages customers to independently familiarize themselves with the GDPR and start their compliance efforts now, if they have not done so already.
OCLC is also committed to ensuring our partners and customers can continue to use our products and services while complying with the GDPR. Below we have answered some of the most urgent questions our partners and customers have about what the GDPR means for them and what they need to do now to prepare.
What does the GDPR require?
The GDPR establishes rules for how organizations can process the personal data of data subjects who are in the EU. While many of these rules already existed under previous EU law, some rules are now stricter. The rules reach beyond the physical borders of the EU and apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behavior of those people.
What is OCLC doing to prepare for the GDPR?
OCLC believes the GDPR is an important milestone in the data privacy landscape. We are excited about the strong data privacy and security principles that the GDPR emphasizes, many of which OCLC instituted before the GDPR was enacted.
OCLC's GDPR preparation started more than a year ago, and while much of our preparation is happening behind the scenes, we are working on a number of initiatives that will be visible to our members and other users of our products and services. Listed below are some of the steps we have taken:
- Assessment: OCLC has carefully reviewed where and how our relevant services collect, use, store, and dispose of personal data. We are updating our procedures, policies, standards, governance, and documentation as needed.
- Products: We are evaluating potential new features to add to our various products to assist our customers in meeting some of their GDPR compliance obligations, such as in relation to notice and consent, if necessary.
- Contractual Commitments: Working in conjunction with our customers, OCLC is reviewing our contractual commitments and updating contractual terms as needed to directly address GDPR requirements. OCLC is also reviewing its vendor contracts to ensure GDPR compliance throughout its supply chain.
- Cross-Border Transfers of EU Personal Data: With respect to OCLC's hosted products and services, cross-border transfers of personal data vary by OCLC product. For some products, personal data is localized within the European Economic Area. For others, transfers of personal data outside of the European Economic Area occur. Thus, in addition to ensuring OCLC's contractual commitments meet the GDPR requirements, OCLC has standard contractual clauses in place where necessary.
- Employee Training and Awareness: All OCLC employees must complete data privacy and security training. OCLC will supplement existing training with GDPR-specific content. In addition to these training requirements, OCLC conducts ongoing awareness initiatives on a variety of topics, including data protection, security, and privacy.
What security measures does OCLC have in place to protect the personal data it processes?
OCLC has robust technical and organizational measures in place to ensure a level of security appropriate for the personal data collected, and we regularly test, assess, and evaluate the effectiveness of our technical and organizational measures. OCLC has administrative and technological controls in place to limit its use of personal data to the purposes for which it collected and processes in place to detect and respond to security breaches.
What is the difference between a controller and a processor?
With respect to the various products and services that OCLC hosts for our customers, our customers act as controllers, and OCLC acts as the processor. In the context of processing personal data, a controller is the organization that determines the purposes and means of processing the personal data. A controller also determines the specific personal data that is collected from a data subject for processing. A processor is the organization that processes the data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection, but the GDPR places some direct responsibilities on the processor, as well.
What personal data does OCLC process?
Many of OCLC's products are library management systems that help our customers process their patrons' circulation and discovery requests. These products also collect minimal personal data of library employees for library management purposes. Customers (the controllers) determine the specific personal data that they will collect from the data subjects and provide to OCLC for processing.
Will OCLC assist customers in responding to requests made by data subjects related to their expanded individual rights under the GDPR?
The GDPR provides individuals more control over the ways in which businesses process their personal data. OCLC is dedicated to giving its customers transparency and control of the personal data they process and will assist its customers in responding to individual rights requests made pursuant to the GDPR.
How long does OCLC retain personal data?
Customers, as data controllers, decide how long they retain personal data. Many of OCLC's products allow customers to configure certain retention periods.
Does the GDPR prevent a company from storing data outside of the EU?
Nothing in the GDPR prevents businesses from storing personal data outside of the EU, provided that their processors adhere to the necessary data protection regulations.
What steps does OCLC take to ensure its customers can lawfully transfer personal data outside of the European Union?
When personal data is transferred from the EU to OCLC, Inc. in the United States, it is transferred pursuant to Standard Contractual Clauses. The Standard Contractual Clauses were drafted and approved by the European Commission and contain detailed obligations related to the protection of personal data that is transferred outside of the EU.
Is there an official GDPR seal of quality for compliant processors?
As of yet, there is no seal for GDPR compliance. The GDPR does include the possibility for official certification that can be given either by the national data protection authority or from a competent private data protection authority. No accreditation of such a seal has taken place yet, as we await the criteria for accreditation to be specified.
Does the looming Brexit have any immediate effect on how companies in the UK must or need not be GDPR-compliant?
Once Brexit is final, GDPR will not have any immediate authority in the UK. However, the Information Commissioner's Office (ICO), the British data protection authority, is working on legislation referencing the GDPR. At this point, it seems likely that companies within the UK will have obligations very similar to those imposed by the GDPR even after Brexit is finalized.