Springshare's GDPR Compliance Plan
Springshare is fully compliant with GDPR as of May 25, 2018
Things we've worked on, to ensure GDPR compliance
Since 2017 we have been operating a dedicated EU data center which hosts applications and content for our European client institutions. We have 3 worldwide data center clusters (US, EU, and Canada, with more clusters/regions to come) and they are all independent of one another i.e. the data does not flow back-and-forth. This ensures Springshare's compliance with the GDPR safeguards for cross-border data transfer - the personal data of our EU clients is not transferred "cross-border" outside of EU.
Here are the specific steps and initiatives we've undertaken, which were completed by the May 25, 2018 deadline. These steps ensured Springshare's and your compliance with GDPR.
Collecting and Storing Personal Information for Registered Users
Registered Users/Account Holders are librarians (and some non-librarians) who have an account in any of Springshare tools - LibGuides, LibAnswers, LibCal, LibStaffer, etc. For these users to use Springshare tools and have an account we need their name, email, and sometimes their phone number too i.e. they need to share some personal information with us.
- When a user's account inside Springshare tools gets deleted, all personal information will be deleted as well. Note that the content the user created will not be removed by default (local admin decides on this) but it will be reassigned to other user(s) because, in most cases, the library/institution wants to preserve this content and assign it to another librarian for maintenance and upkeep. All content entered into Springshare tools is owned by the libraries/institutions themselves. Springshare does not own the data and the content on our platform, our clients do.
- If an institution cancels the license/subscription to a given Springshare tool, all user accounts will be deleted and all content the institution created will be deleted as well.
Collecting and Storing Personal Information for Patrons/Visitors
When libraries/institutions license and use Springshare tools, they do it so their users (patrons) can access and use them. There are many millions of patrons who use Springshare tools but do not need to register or have an account in these tools. GDPR has implication for these users, too. IP addresses are considered personally-identifiable information according to GDPR and the IP addresses of website visitors are recorded in our logs. Also, every Springshare app uses browser cookies for its regular operation.
- There is an optional "IP/cookie notification" feature (admins can enable/disable it in administrative settings). When enabled, any new visitor to Springshare tools public pages get a visual alert that cookies are used on the site and that their IP will be recorded in the weblogs for statistical purposes. This is similar to the notification seen on websites of many European newspapers (e.g. Le Monde, Guardian, etc.) The text of the notification is customizable by admins at each institution.
- On any screen where patrons are expected to enter their personal information (e.g. name, email, phone number, etc.) in order to use the Springshare tool (e.g. LibChat, LibCal, LibAnswers) there is an optional on-screen notification (customizable for each institution) and explanation why the user is asked for this data and what happens with the data.
- Some of our tools (e.g. LibAnswers and LibCal) already offer "privacy scrub" functionality where the admins can remove any personal data that users entered via forms. We have further improved this feature and extended it to all our tools, e.g. LibStaffer, etc. - anywhere where we knowingly collect user's info (name, email, phone #) for the purpose of regular operation of our tools.
Emails from Springshare to Our Users
Springshare staff does not email patrons (i.e. your institutions' users) for any reason. The only exception to this are two scenarios - a) automatically generated emails from inside apps during the normal course of operation of the app (e.g. booking a room reservation or asking a reference question and receiving an email confirmation), or b) when we receive email support requests from patrons and we respond to them. No changes were needed in this regard for GDPR compliance.
Librarians who have accounts in Springshare apps receive several types of emails from Springshare:
- Operational emails we send to clients during operational urgencies. These emails are only sent to administrators i.e. admin-level users. These fall under the "operational" emails in GDPR-speak.
- Email Newsletters and notifications about new functionality and training webinars. You will only receive these email newsletters and new functionality/training webinars if you specifically opt-in to receive these emails. You (the registered user) can opt-in/opt-out at any time. Per GDPR-rules, everyone is opted-out by default until you explicitly opt-in.
Springshare Data Privacy Office & Contact for GDPR-Related Actions
We have a dedicated email inbox and dedicated staff who:
- Receive and review all requests for removing specific data from Springshare's tools.
- Upon review, act on these requests and ensure that data in question is removed in a timely manner.
Additional Steps and Actions Springshare is Undertaking
In addition to the actions described above, we have also undertaken a company-wide effort regarding Springshare's GDPR compliance efforts. Some of our activities included:
- Educating our staff about GDPR and its requirements.
- Ensuring existing procedures cover all the rights individuals have under GDPR, including deleting personal data.
- Identifying our lawful basis for processing personal data, documenting it, and updating our privacy notice to explain it to individuals.
- Reviewing and updating contracts with third parties to ensure our privacy obligations are up-to-date.
- Ensuring the right procedures are in place to detect, report, and investigate a personal data breach.