One commentator recently noted that the fastest growing market at the moment is for personal information.1 Everybody wants to know everything and our reliance on being technologically connected means we are increasingly comfortable with making our private lives visible. And until now, the regulatory framework has struggled to protect the individual against a wholesale requirement of providing a discoverable trail of personal data.
Regardless of specialism, the library and information professional’s approach is consistently data-centric. Not only does this mark us out as innovators, as business models evolve,2 but it means we are the best people to be catapulted into the centre of our organisation’s GDPR preparations. We should take advantage of this opportunity to showcase our skills and raise our service’s profile.
Our competencies became more apparent as I read through the General Data Protection Regulations, EU and ICO guidelines, and aligned them with CILIP ethical principles.3 Library and information professionals have long been a conduit between users and information so we are already comfortable with the legislation’s purpose of protecting the privacy of the individual. However, we need to convince organisations that we can put those legal and ethical responsibilities into practice.
We are instrumental in disseminating information around our organisations - and beyond. This is reflected in ethical principle 3, which states our ‘commitment to the defence, and the advancement, of access to information[…]’. Decision makers and key people must be aware of all GDPR issues and data protection compliance. Offering data protection updates as training sessions or regular regulatory current awareness alerts might make all the difference.
In principle 4, we are committed to the provision of the best possible service within our available resource capabilities. We all have expertise in conducting information audits in a library capacity. Take this opportunity to repurpose your knowhow to review data flow across the organisation. Participate in documenting what personal data is held, where it came from and with whom it is shared. By streamlining internal and external communications and interaction, and pooling internal resources, it could have unexpected cost benefits to the organisation.
Although not every organisation will require it, it may be good practice to have a centralised team to take responsibility for GDPR matters. As principle 7 states, there must be ‘avoidance of inappropriate bias, in acquiring and evaluating information and in mediating it to other information users’. The legislation stresses the need for impartiality and no conflict of interest, which disqualifies those in HR, or IT functions.4 This places us neatly into the role of Data Protection officer and/or their team.
I began by saying that personal data has never been more important. In this respect the new regulations should be treated as a way of re-establishing trust between big data and small people; businesses and their customers. To this I would add information departments and their potential users. With our existing ethical principles and experience in facilitating efficient, safe, and respectful data flow, we can confidently place the library profession in the data protection centre of our organisations.
- Irene Ng, ‘Personal Data as an Asset: Design and Incentive Alignments in a Personal Data Economy’, 19 February 2018 https://ials.sas.ac.uk/digital/videos/personal-data-asset-design-and-incentive-alignments-personal-data-economy
- Anastasia Olshanskaya ‘Why the GDPR is good for business’, 15 December 2016 https://iapp.org/news/a/why-the-gdpr-is-good-for-businesses/
- CILIP’s Ethical Framework https://archive.cilip.org.uk/research/topics/ethics-review/existing-ethical-framework
- Data Protection Officer https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en