We're committed to ensuring that both Springshare and our clients/libraries using our tools comply with the upcoming GDPR law by May 25, 2018

GDPR Refresher

GDPR stands for the General Data Protection Regulation, a new European Union (“EU”) law that regulates the personal data of individuals in the EU. GDPR will replace the the EU’s current privacy law, EU Data Protection Directive, which has been in place since 1995.

GDPR defines personal data as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e. name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.

Things we are working on, to ensure GDPR compliance

Springshare has always been very careful when handling our customers' data, and our privacy policy has been favorable to our users. Springshare never shares or resells our customers' private data with third parties. There have been a few occasions when librarians from our client institutions have approached us about using aggregate statistics data in their academic research, but for every one of these instances we obtained written permission from affected institutions about using anonymized data for research purposes.

Since 2017 we have been operating a dedicated EU data center which hosts applications and content for our European client institutions. We have 3 worldwide data center clusters (US, EU, and Canada, with more clusters/regions to come) and they are all independent of one another i.e. the data does not flow back-and-forth. This ensures Springshare's compliance with the GDPR safeguards for cross-border data transfer - the personal data of our EU clients is not transferred "cross-border" outside of EU.

Here are the specific steps and initiatives we are currently undertaking, which will be completed by May 25, 2018. These steps will ensure Springshare's and your compliance with GDPR.



Collecting and Storing Personal Information for Registered Users
Registered Users/Account Holders are librarians (and some non-librarians) who have an account in any of Springshare tools - LibGuides, LibAnswers, LibCal, LibStaffer, etc. For these users to use Springshare tools and have an account we need their name, email, and sometimes their phone number too i.e. they need to share some personal information with us.

  • Our account management screens will contain detailed explanation of what data we collect, why, and how to delete it. We will also link to the Springshare privacy policy from these screens.
  • When a user's account inside Springshare tools gets deleted, all personal information will be deleted as well. Note that the content the user created will not be removed by default (local admin decides on this) but it will be reassigned to other user(s) because, in most cases, the library/institution wants to preserve this content and assign it to another librarian for maintenance and upkeep. All content entered into Springshare tools is owned by the libraries/institutions themselves. Springshare does not own the data and the content on our platform, our clients do.
  • If an institution cancels the license/subscription to a given Springshare tool, all user accounts will be deleted and all content the institution created will be deleted as well.



Collecting and Storing Personal Information for Patrons/Visitors
When libraries/institutions license and use Springshare tools, they do it so their users (patrons) can access and use them. There are many millions of patrons who use Springshare tools but do not need to register or have an account in these tools. GDPR has implication for these users, too. IP addresses are considered personally-identifiable information according to GDPR and the IP addresses of website visitors are recorded in our logs. Also, every Springshare app uses browser cookies for its regular operation.

  • There will be a new, optional, "IP/cookie notification" feature (admins will be able to enable/disable it in administrative settings). When enabled, any new visitor to Springshare tools public page will get a visual alert that cookies are used on the site and that their IP will be recorded in the weblogs for statistical purposes. This will be similar to the notification seen on websites of many European newspapers (e.g. Le Monde, Guardian, etc.) The text of the notification will be customizable by admins at each institution.
  • On any screen where patrons are expected to enter their personal information (e.g. name, email, phone number, etc.) in order to use the Springshare tool (e.g. LibChat, LibCal, LibAnswers) there will be an on-screen notification (customizable for each institution) and explanation why the user is asked for this data and what happens with the data.
  • Some of our tools (e.g. LibAnswers and LibCal) already offer "privacy scrub" functionality where the admins can remove any personal data that users entered via forms. We will further improve this feature and extend it to all our tools, e.g. LibStaffer, etc. - anywhere where we knowingly collect user's info (name, email, phone #) for the purpose of regular operation of our tools.



Updates to the Springshare Privacy Policy
Springshare's privacy policy is described here - https://springshare.com/privacy. We are currently reviewing it and will update it (if needed) in order to fully comply with GDPR. We will also link to this privacy policy from any relevant public and administrative screen in our apps.



Emails from Springshare to Our Users
Springshare staff does not email patrons (i.e. your institutions' users) for any reason. The only exception to this are two scenarios - a) automatically generated emails from inside apps during the normal course of operation of the app (e.g. booking a room reservation or asking a reference question and receiving an email confirmation), or b) when we receive email support requests from patrons and we respond to them. No changes are needed in this regard for GDPR compliance.
Librarians who have accounts in Springshare apps receive several types of emails from Springshare:

  • Operational emails we send to clients during operational urgencies. These were sometimes sent to all users but we are changing our policy and will continue sending these emails but only to administrators i.e. admin-level users. These fall under the "operational" emails in GDPR-speak.
  • Email Newsletters and notifications about new functionality and training webinars. By default, we sent these emails to all registered account holders because newsletters and training webinar emails were the primary ways for us to reach the user community and keep them informed about the changes and enhancements in our tools. By the end of May, we will only send these email newsletters and new functionality/training webinars if you specifically opt-in to receive these emails. You (the registered user) will have the ability to opt-in/opt-out at any time. Everyone is assumed to be opted out at start, by default.



Springshare Data Privacy Office & Contact for GDPR-related Actions
We will have a dedicated email inbox and a dedicated staff who will:

  1. Receive and review all requests for removing specific data from Springshare's tools.
  2. Upon review, act on these requests and ensure that data in question is removed in a timely manner.



Additional Steps and Actions Springshare is Undertaking
In addition to the actions described above, we are also undertaking a company-wide effort to be as well prepared and as ready as possible to ensure a smooth ride regarding Springshare's GDPR compliance efforts. Some of our current activities include:

  • Educating our staff about GDPR and its requirements.
  • Ensuring existing procedures cover all the rights individuals have under GDPR, including deleting personal data.
  • Identifying our lawful basis for processing personal data, documenting it, and updating our privacy notice to explain it to individuals.
  • Reviewing and updating contracts with third parties to ensure our privacy obligations are up-to-date.
  • Ensuring the right procedures are in place to detect, report, and investigate a personal data breach.

It is important to note that these new privacy-protection-related features in our platform will be available to *all* Springshare client institutions worldwide, i.e. these are not only for our European clients. Every one of our client institutions, anywhere in the world, will have access to these privacy-related features described above.

We want to reassure our clients that Springshare apps will be ready for GDPR come May 25, 2018. If you have any questions or concerns about Springshare's GDPR efforts, please do not hesitate to reach out to us at info@springshare.com.