A few weeks ago, Chuck Piotrwoski of PIOT presented a great webinar on the General Data Protection Regulation (GDPR). Although we weren’t able to record the session, he kindly provided his slides for sharing.
Chuck broke down GDPR into several basic principles:
- data about a person belongs to the person
- an organization can only work with personal data if permitted by law or with the consent of the individual
GDPR builds on the European Union’s 2007 Charter of Fundamental Rights, in which Title II (Freedoms) addresses privacy concerns:
Chuck explained that GDPR protections applies to organizations that handle the personal data of EU individuals, regardless of where the organization is located. For instance, if a researcher from Oxford pays for a scan from a U.S. archive, the personal data collected for this transaction is protected by GDPR. Here’s the list Chuck provided of examples of personal data that are protected:
Chuck suggested all organizations begin with four basic tenets:
If you’re interested in gauging your situation, Chuck pointed to a data protection self assessment provided by the UK’s Information Commissioner’s Office.
Here are the most important points I took away from this webinar:
- Integrating data privacy training into overall organizational training is more effective than specialized training because it’s more likely to get embedded into how people work.
- Consent by individuals to collect personal data must be explicitly given — an opt-in model rather than the opt-out model frequently embraced in the U.S.
- The process must be easy for individuals to withdraw their consent for an organization to hold personal data.
- An organization must explain why it is collecting personal data.
- There are currently no flawless automating tools for removing personal data.
- Data erasure can be refused if the public good outweighs the need for privacy.
If you work for an organization that would be affected by these regulations, you may want to look at the To Do section of the slides Chuck provided. He also listed some other resources at the end of his presentation. Thanks for the great learning opportunity, Chuck!
The Schedule 
Among the specific exemptions under GDPR is one for “archiving in the public interest” http://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/#interest
Great post! Thank you. “Consent by individuals to collect personal data must be explicitly given” is absolutely right, but only where Consent is the basis of processing. For most personal data processing the processor needs to nominate a basis from a list of six: Consent, Contract, Legal Obligation, Vital Interests, Public Task or Legitimate Interests. If the data are “special category” (i.e. relating to your health, religion, sexuality etc) the processor has to meet a higher threshold and there are 10 other possible legal bases, Explicit Consent being first on the list. The choice of legal basis is really important, not least because some organisations embed Consent processing in their work even when it is not the appropriate legal basis. For instance, a lot of local government data processing should be done on the Public Task basis, meaning that the consent of the data subject may not be needed and the right to erasure does not apply.
Pingback: Archives Records 2019 RMS Annual Meeting – The Schedule