GDPR: Partnering with Customers

In May 2018, the EU General Data Protection Regulation (GDPR) replaced the existing 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR greatly affects the way companies process EU personal data, including OCLC and its customers.

OCLC is committed to ensuring our partners and customers can continue to use our products and services while complying with the GDPR. We recognize that compliance with the GDPR requires a partnership between OCLC and our partners and customers in their use of applicable OCLC services. Working together, we have been addressing and will continue to explore opportunities within our relevant service offerings to assist our customers in meeting their GDPR obligations as data controllers into the future. OCLC encourages customers to independently familiarize themselves with the GDPR and start their compliance efforts now, if they have not done so already.

Below we have answered some of the most urgent questions our partners and customers have about what the GDPR means for them.

What does the GDPR require?

Among other things, the GDPR established rules for how organizations can process the personal data of data subjects who are in the EU. While many of these rules already existed under previous EU law, some rules are now stricter. The rules reach beyond the physical borders of the EU and can apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behavior of those people.

What has OCLC done to prepare for the GDPR?

OCLC believes the GDPR is an important milestone in the data privacy landscape. We are excited about the strong data privacy and security principles that the GDPR emphasizes.

OCLC's GDPR preparation started well before 25 May 2018. While much of our preparation happened behind the scenes, there are a number of initiatives that are visible to our members and other users of our products and services. Listed below are some of the steps we have taken:

  • Assessment: OCLC carefully reviewed where and how our relevant services collect, use, store, and dispose of personal data. We have been updating our procedures, policies, standards, governance, and documentation as needed.
  • Products: We have evaluated potential changes to add to our various products to assist our customers in meeting some of their GDPR compliance obligations, such as in relation to display of privacy notice. Release notes of products, when available, describe product changes that may be helpful with respect to GDPR.
  • Contractual Commitments: Working in conjunction with our customers and vendors, OCLC has been updating contractual terms by executing data processing agreements as needed to directly address GDPR requirements.
  • Cross-Border Transfers of EU Personal Data: With respect to OCLC's products and services, cross-border transfers of personal data can vary by OCLC product. For some products, personal data is localized within the European Economic Area. For others, transfers of personal data outside of the European Economic Area occur. OCLC has standard contractual clauses in place to account for data transfers from the EEA, and OCLC establishes standard contractual clauses directly with our customers when they are the data exporters to OCLC outside of the EEA.
  • Employee Training and Awareness: All OCLC employees must complete data security training. In addition to these training requirements, OCLC conducts ongoing awareness initiatives on a variety of topics, including data protection, security, and privacy.

What security measures does OCLC have in place to protect the personal data it processes?

OCLC has robust technical and organizational measures in place to ensure a level of security appropriate for the personal data collected, and we regularly test, assess, and evaluate the effectiveness of our technical and organizational measures. OCLC has administrative and technological controls in place to limit its use of personal data to the purposes for which it is collected and processes in place to detect and respond to security breaches.

What is the difference between a controller and a processor?

With respect to the various products and services that OCLC hosts for our customers, our customers generally act as controllers, and OCLC acts as the processor. In the context of processing personal data, a controller is the organization that determines the purposes and means of processing the personal data. A processor is the organization that processes the data on behalf of the controller.

The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection, but the GDPR places some direct responsibilities on the processor, as well.

What personal data does OCLC process?

Many of OCLC's products are library management systems that help our customers process their patrons' circulation and discovery requests. These products also collect minimal personal data of library employees for library management purposes. While some personal data, such as names of patrons, are collected and used by all libraries, our customers differ on what data they use. Customers, as the controllers, determine the specific personal data that they will collect from the data subjects and provide to OCLC for processing. OCLC encourages its customers to examine what personal data they are processing to determine what obligations they may have under the GDPR.

Will OCLC assist customers in responding to requests made by data subjects related to their expanded individual rights under the GDPR?

The GDPR provides individuals more control over the processing of their personal data. OCLC has established processes for reviewing data subject requests. OCLC’s privacy notice describes the rights of data subjects and how to make requests. In many instances, requests by data subjects should be reviewed and fulfilled directly by our customers, as data controllers, instead of by OCLC, who is acting at the direction of the customer. Customers who believe they are unable to fulfill requests themselves through use of our products may contact OCLC to seek assistance.

Does the GDPR prevent a company from storing data outside of the EU?

Nothing in the GDPR prevents businesses from storing personal data outside of the EU, provided that their processors adhere to the necessary data protection regulations. The data export from the EU may require establishing appropriate safeguards for the transfer.

What steps does OCLC take to ensure its customers can lawfully transfer personal data outside of the European Union?

When personal data is transferred from the EU to OCLC, Inc. in the United States, it is transferred pursuant to standard contractual clauses issued by the European Commission. The European Commission has issued two sets of contractual clauses for controller-to-controller transfers and one set of contractual clauses for controller-to-processor transfers.