The General Data Protection Regulation (GDPR), a binding European Union (EU) law governing data protection and privacy for citizens and residents of the EU and the European Economic Area, will go into force on May 25, 2018. GDPR, a robust privacy framework, aims to give more control to individuals over their personal data. Businesses and others collecting data must ensure that full disclosures are made and consent is freely given by the individuals whose data is being collected.
GDPR grants individuals six specific rights with respect to their data including: (1) information and access (i.e., to know that their personal data is being processed and have access to this data free of charge); (2) data portability (data collected under certain circumstances must be provided “in a structured, commonly used, and machine-readable form”; (3) rectification (ability to correct inaccurate personal data or to complete information); (4) erasure (also known as the “right to be forgotten,” applicable only under certain circumstances); (5) restriction (individual may restrict data controller from processing data further under certain circumstances); and (6) objection (to object to processing of one’s data).
Although GDPR is an EU regulation, it has implications for businesses and institutions that collect data even outside the EU. Anne T. Gilliland, scholarly communications officer at the University of North Carolina at Chapel Hill Libraries, explains some of the key provisions of GDPR and why its impact reaches worldwide. Gilliland notes that the research library community has ties to Europe and EU citizens. Libraries must therefore consider the implications GDPR will have on their own privacy policies and how to ensure compliance with these new rules. As staunch defenders of privacy rights, libraries have an opportunity to ensure robust protection of users’ rights. Because GDPR has not yet gone into effect, there is no case law or other binding guidance regarding GDPR compliance.