ALA GDPR Quick Start / FAQ

ALA GDPR Quick Start / FAQ - Click to view PDF

 

ALA GDPR Quick Start / FAQ 

Note: Although information provided here relates to European Union residents, ALA is taking a proactive stance. In order to be a good steward of our members’/customers’ private information, ALA needs to treat all members/customers as though this information applies to each one individually. 

This FAQ will be continually updated as needed.

1. Background

What is GDPR? 

The General Data Protection Regulation (GDPR) is a 2018 data protection law in the European Union (EU) that was created to protect EU residents from the privacy and data breaches that have become common in our data-driven world. GDPR will not only change the way you communicate with your clients/members, but also how you handle their data.

  • Who needs to be concerned about GDPR regulations? 
    • All of us at ALA! If your group collects contact information (registrations, mailing lists, sign up forms, surveys, etc.) or uses collected contact information (to send out mass emails, mailings, etc.) these rules apply to you. If you work with vendors who process member or prospect information, you need to understand and abide by the new guidelines. 
  • ALA isn’t in the EU and I don’t think many of our members or other customers are – do I need to follow these new rules?
    • Yes, GDPR applies to any residents of EU countries who may be doing business of any kind with ALA. 
    • Good data management principles should be applied across ALA regardless of who our members are, so everyone needs to follow the guidelines below. 
  • What do you mean by residents of EU countries? I thought GDPR just covers EU citizens? 
    • From Article 3 – Territorial Scope 

      This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

      So "in the Union" is what we have to work with. Residency is broader than citizenship and there is no specific regulation limiting the scope to EU citizens. 

      Our attorney’s recommendation is to focus on someone's "primary residence" as they designate it and go from there. If our database records show residence in an EU country or someone registers for conference and tells us that they are in an EU country, that's the test. We recommend asking someone if their primary residence is in the EU.

  • What happens if we do not comply? 
    • If ALA is charged with not abiding, we will face legal consequences and potential fines of 4% of our annual revenue or up to 20,000,000 Euros, whichever is higher. 

2. All Units of ALA

  • What should I do right away? 

    • Designate a GDPR contact: Each unit/department must designate one employee in your department to be your point person for all things GDPR. Let other team members know who this person is. The designated person will be expected to document requests and be the unit’s contact with ALA IT. This person should contact Brian Willard at bwillard@ala.org to receive necessary news and updates from IT. 
    • Incorporate ALA policy into external communications: The updated ALA Privacy Policy (http://www.ala.org/privacypolicy) is the single policy across all units and locations. Please familiarize yourself with the policy terms and include a link to the current privacy policy in the footer of all mass emails, all web page footers, blog footers, and landing page footers, and refer to it when creating any form to collect data regardless of whether or not you are collecting personally identifiable information. 
    • Identify and document all data collection points: * Coming Soon [Collection process is under development] Whether they are hosted locally on ALA servers or externally though a third party such as Survey Monkey or another vendor/ service. 
    • Use the Personal Data Notification when collecting contact information: Examine your data collection points and ask for necessary information only. Ensure your data collection points state how you will be using any personal data collection. Include the actual text of the Personal Data Notification (PDN) in the body of any form or other data collection point where any personally identifiable information is collected and will be used ONLY INTERNALLY for general business purposes. This includes: 
      • Name
      • Email
      • Phone
      • Address
      • Member ID
      • Social media information 
    • Require a checkbox agreeing to Personal Data Notification: A checkbox agreement requiring a respondent to AGREE to the text of the Personal Data Notification (PDN) should be used when you are collecting any or all of the above and providing them to a third party, such as an event or webinar sponsor, or offering them for sale in another manner. 
    • Require a checkbox for select data points: You must also request explicit consent by requiring checkbox agreement of the personal notification amended to include how you will use the data. Checkbox agreement must be secured when collecting personally identifiable information for any of the following special categories: ▪ racial or ethnic origin 
      • political opinions 
      • religious or philosophical beliefs 
      • trade union membership 
      • genetic data 
      • biometric data for the purpose of uniquely identifying a person 
      • data concerning a person’s health 
      • data concerning a person’s sex life or sexual orientation 

3. Events (registration, evaluations, etc.) – See IN-PERSON EVENTS below

What do I need to do?

  • Link to privacy policy/ include PDN language (or link as last resort) on registration and evaluation forms. 
  • Ensure your forms explicitly state what you will be using the information for.
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

4. Processing applications/general forms (scholarships, grants, etc.)

What do I need to do?

  • Link to privacy policy/ include PDN language (or link as last resort) on forms.
  • Ensure your forms explicitly state what you will be using the information for. 
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered them for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

5. Email marketing

What do I need to do? 

  • Link to privacy policy from footer (see All Units of ALA above). 
  • Ensure your forms state what you will be using the information for.
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered them for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 
  • Purchased lists from outside sources should include guarantees that EU residents’ records are GDPR-compliant before being provided to ALA. 

6. Membership information, appointments database, etc.

What do I need to do? How much info can we share with chairs, others?

  • Link to privacy policy/ include PDN language (or link as last resort) on all forms.
  • Ensure your forms explicitly state what you will be using the information for.
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

7. Surveys

What do I need to do? 

  • Link to privacy policy/ include PDN language (or link as last resort) in each survey. 
  • Ensure your forms state what you will be using the information for.
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

8. Sales transaction data

What do I need to do?

  • Sales transaction data refers here to personal data information collected during the purchase of a product, such as books, journal subscriptions, READ posters, etc., from the ALA Online Store or other avenues.
  • Link to privacy policy/ include PDN language (or link as last resort) at each data collection point.
  • Ensure your forms or other data collection points state what you will be using the information for. 
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company or order fulfillment center.
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

9. In-person data collection (trade shows, drawings, etc.)

What do I need to do?

  • If collecting data in person at a tradeshow or a meeting, specify in writing at the point of data collection the how the information you collect will be used and/or disseminated. 

10. Awards

What do I need to do?

Link to privacy policy/ include PDN language (or link as last resort) in nomination forms. 

  • Ensure your forms explicitly state what you will be using the information for. 
  • Create a PDN agreement checkbox if collecting personal identifiable information that could or will be provided to a third party, such as an event or webinar sponsor, or offered for sale in another manner. A PDN agreement checkbox does not need to be included if collected information will only be shared with a vendor under direct contract to ALA, such as an event registration company. 
  • Create a separate PDN agreement checkbox for any contact information that is considered a special category, outlined above. 

11. Working with outside/third-party vendors

What do I need to do? 

  • Document any outside vendors that process member or contact data with your GDPR Team Lead. Your vendor will need to sign a Data Processing Agreement (DPA) form available from ALA IT. This can be part of the contract. 
  • If you are negotiating or renewing an agreement, a DPA form signed by your vendor must be provided to the appropriate GDPR contact on your team and kept on file. 
  • Enter information on all contracts with external vendors that include a data collection component in the ALA Website and Data Processing Inventory Form. 

12. Complaints and/or Requests

How do we handle removal requests (request for a contact to be “forgotten”)?

How do we handle a request for data reports from members/customers?

13. Other questions

What are examples of legitimate business interest?

  • The definition in GDPR is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child. 

In simpler terms; members of ALA and its customers expect us to use their data for their membership or to fulfill an order these activities fall under the “Legitimate Business Interest” definition above. If the ALA plans on selling the data, that could be looked at as outside the scope of “Legitimate Business Interest”. Also selling or sharing personal “Special categories” of data listed in section 2 above is outside of legitimate business interest.

How should we document our group’s GDPR compliance?

  • The GDPR steering committee will create forms for everyone to use. 

Are there further changes coming or should we update all our forms/emails immediately?

  • As with any legislation, there can always be changes in the future. All forms/emails should be updated immediately.