The EU General Data Protection Regulation (GDPR) takes effect on Friday, May 25. Given our core principles of individual control and transparency, we were largely in alignment with the regulation. This was reaffirmed in an expert legal review of our data privacy practices.
Most of our compliance efforts have therefore focused on fine-tuning our internal processes. We have made the following changes for users:
- GDPR-related Knowledge Base articles
- We have created a new Knowledge Base article (ORCID, GDPR, and your rights as a user), explaining your rights under the GDPR and how you can adjust your account settings in the Registry
- We have updated our existing documentation to reflect our security practices
- Privacy policy
- We have updated our privacy policy to make it clearer and more concise, including links to the GDPR Knowledge Base articles
- Registry changes
- We have added a new feature, Download all my data, to address the GDPR requirement for data portability. You can access this feature in your Account settings
In addition to this blog post, we are contacting all our users directly as an ORCID Inbox notification, and via an email service announcement, to provide a brief overview of GDPR-related changes.
What’s next?
We will continue monitoring interpretations and legal cases related to the GDPR, and will adjust our processes and policies as needed to ensure we are compliant with the regulation. We will investigate additional options to demonstrate evidence of GDPR compliance, such as seals or certifications, similar to our current independent audit, which verifies our compliance under the EU-US Privacy Shield Framework.
ORCID operates on a global scale, and we will continue to investigate international privacy regulations, evaluate current regulatory and privacy needs, and assess them against our practices. We’ll report on our findings in future blog posts.
If you have any questions or concerns relating to ORCID and the GDPR, please don’t hesitate to contact us.
