The EU General Data Protection Regulation (GDPR) will come into force on May 25th and with less than 2 months to go, we should all be familiar with what this entails for our organization. If you are not familiar, here is an introductory post presenting the 5 general aspects that you need to cover in your way to compliance.

In the second part of our series, we focus on getting you acquainted with the personal data that you are collecting at the library; where you get it from, why you have it, who has access to it and why you are processing it. There are two main considerations to have in mind in your path to GDPR compliance.

1.What personal data are you processing at the library?

As highlighted by CILIP’s guide on GDPR, processing includes collection, storage, use, recording, disclosure or manipulation of data whether that be through automated means or not. The best way to establish this and get you familiar with the data that the library is processing is by creating a data map or a data flow. At Princh, we have created a list of all the personal data (physical or digital) we have access to in our current activities.

For this, we’ve been closely following the GDPR Data Map Template offered by Anthony Budd, innovation consultant at Ideea. We’ve adapted the template to fit our needs in our work with libraries and here is an overview.

1. Focus on the personal information that you are collecting from someone

The first three columns provide an overview of the data type that you are collecting, the key stakeholders that gave you the information (library users, visitors, suppliers, the staff, etc.) and the main sources or channels they used to provide you with that information (website form, form at the library, employee contract, etc.)

For example, you could have a new library visitor wanting to create a library card. That person creates the account online by filling in a form on the library’s website. In this case, the source of personal data is the website form, the data subject is the library visitor and the personal information collected may include their name, e-mail address, physical address, phone number, identification number, and so on.

2. Focus on the way you are handling their personal information

The next four columns will better equip you with a data protection mindset. It is time to ask yourself why you are collecting this data, (marketing, relationship management, contractual basis, analytics, circulation of media, etc.) how and where you’ll store it in your library systems (library database, offline records, LMS, third-party processors systems, etc.) and who has access to it (library staff, IT team, third-party processors, public authorities, etc.) and for how long (removal upon request, after 30 days, after 6 months, etc.)

Continuing with the example of the library visitor, you need his/her personal information to communicate with the new user and allow media circulation. The data could be stored for as long as the user wants to remain in(side) the library’s database and only the library’s staff would have access to it.

3. Focus on the consent that you received for the data that you’re collecting