Springshare's GDPR Compliance Plans
Springshare will be fully compliant with GDPR by May 25, 2018
Things we are working on, to ensure GDPR compliance
Since 2017 we have been operating a dedicated EU data center which hosts applications and content for our European client institutions. We have 3 worldwide data center clusters (US, EU, and Canada, with more clusters/regions to come) and they are all independent of one another i.e. the data does not flow back-and-forth. This ensures Springshare's compliance with the GDPR safeguards for cross-border data transfer - the personal data of our EU clients is not transferred "cross-border" outside of EU.
Here are the specific steps and initiatives we are currently undertaking, which will be completed by May 25, 2018. These steps will ensure Springshare's and your compliance with GDPR.
Collecting and Storing Personal Information for Registered Users
Registered Users/Account Holders are librarians (and some non-librarians) who have an account in any of Springshare tools - LibGuides, LibAnswers, LibCal, LibStaffer, etc. For these users to use Springshare tools and have an account we need their name, email, and sometimes their phone number too i.e. they need to share some personal information with us.
- When a user's account inside Springshare tools gets deleted, all personal information will be deleted as well. Note that the content the user created will not be removed by default (local admin decides on this) but it will be reassigned to other user(s) because, in most cases, the library/institution wants to preserve this content and assign it to another librarian for maintenance and upkeep. All content entered into Springshare tools is owned by the libraries/institutions themselves. Springshare does not own the data and the content on our platform, our clients do.
- If an institution cancels the license/subscription to a given Springshare tool, all user accounts will be deleted and all content the institution created will be deleted as well.
Collecting and Storing Personal Information for Patrons/Visitors
When libraries/institutions license and use Springshare tools, they do it so their users (patrons) can access and use them. There are many millions of patrons who use Springshare tools but do not need to register or have an account in these tools. GDPR has implication for these users, too. IP addresses are considered personally-identifiable information according to GDPR and the IP addresses of website visitors are recorded in our logs. Also, every Springshare app uses browser cookies for its regular operation.
- There will be a new, optional, "IP/cookie notification" feature (admins will be able to enable/disable it in administrative settings). When enabled, any new visitor to Springshare tools public page will get a visual alert that cookies are used on the site and that their IP will be recorded in the weblogs for statistical purposes. This will be similar to the notification seen on websites of many European newspapers (e.g. Le Monde, Guardian, etc.) The text of the notification will be customizable by admins at each institution.
- On any screen where patrons are expected to enter their personal information (e.g. name, email, phone number, etc.) in order to use the Springshare tool (e.g. LibChat, LibCal, LibAnswers) there will be an on-screen notification (customizable for each institution) and explanation why the user is asked for this data and what happens with the data.
- Some of our tools (e.g. LibAnswers and LibCal) already offer "privacy scrub" functionality where the admins can remove any personal data that users entered via forms. We will further improve this feature and extend it to all our tools, e.g. LibStaffer, etc. - anywhere where we knowingly collect user's info (name, email, phone #) for the purpose of regular operation of our tools.
Emails from Springshare to Our Users
Springshare staff does not email patrons (i.e. your institutions' users) for any reason. The only exception to this are two scenarios - a) automatically generated emails from inside apps during the normal course of operation of the app (e.g. booking a room reservation or asking a reference question and receiving an email confirmation), or b) when we receive email support requests from patrons and we respond to them. No changes are needed in this regard for GDPR compliance.
Librarians who have accounts in Springshare apps receive several types of emails from Springshare:
- Operational emails we send to clients during operational urgencies. These were sometimes sent to all users but we are changing our policy and will continue sending these emails but only to administrators i.e. admin-level users. These fall under the "operational" emails in GDPR-speak.
- Email Newsletters and notifications about new functionality and training webinars. By default, we sent these emails to all registered account holders because newsletters and training webinar emails were the primary ways for us to reach the user community and keep them informed about the changes and enhancements in our tools. By the end of May, we will only send these email newsletters and new functionality/training webinars if you specifically opt-in to receive these emails. You (the registered user) will have the ability to opt-in/opt-out at any time. Everyone is assumed to be opted out at start, by default.
Springshare Data Privacy Office & Contact for GDPR-related Actions
We will have a dedicated email inbox and a dedicated staff who will:
- Receive and review all requests for removing specific data from Springshare's tools.
- Upon review, act on these requests and ensure that data in question is removed in a timely manner.
Additional Steps and Actions Springshare is Undertaking
In addition to the actions described above, we are also undertaking a company-wide effort to be as well prepared and as ready as possible to ensure a smooth ride regarding Springshare's GDPR compliance efforts. Some of our current activities include:
- Educating our staff about GDPR and its requirements.
- Ensuring existing procedures cover all the rights individuals have under GDPR, including deleting personal data.
- Identifying our lawful basis for processing personal data, documenting it, and updating our privacy notice to explain it to individuals.
- Reviewing and updating contracts with third parties to ensure our privacy obligations are up-to-date.
- Ensuring the right procedures are in place to detect, report, and investigate a personal data breach.