The EU General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, is the most important change in data privacy regulation in 20 years. GDPR will apply to all companies processing the personal data of all European Union residents, regardless of the company’s location. Researcher control and privacy are core principles for ORCID, and we have been following the evolution and implementation plan of the regulation closely.
Key changes include:
- strengthening the conditions for consent, such as requiring the use of clear and plain language and making it as easy for individuals to withdraw consent as to give it
- increased penalties for non-compliance
- expanded rights for individuals including access to data held about them and the right to be “forgotten”
- including data protection in system design, rather than as an after-thought
ORCID’s current privacy policy, which is recertified annually with an external auditor, has already been reviewed by our consortia lead organizations in several European countries. The general consensus is that there shouldn’t be any major compliance issues for ORCID, because:
- Individual users can provide institutions with authenticated permission to update their ORCID records
- Individual users have full control of all permissions granted to institutions. The permission can be revoked at any stage.
- Using the ORCID API, an institution can securely update metadata in existing ORCID records
- Individuals can delete all items an institution has updated in their ORCID record and control the visibility of these items.
- The institution does not add entire publications to an individual’s ORCID record, only metadata
- Systems can only update ORCID records if they have been granted permission to do so by the individual record-holder; the Registry cannot import metadata from other system APIs without individual consent
We are working on an official English translation of the German legal review, which we will share once available. Broadly speaking, it found no substantive data protection shortcomings. In fact, the summary notes that our privacy policy, which ensures researcher control, is a “model character” that allows users to “view and control at all times which data are processed how on the platform and who had access to the data when.”
Bolstering this positive feedback on our existing practices and policies, we have categorized the GDPR into five main areas that we will be working on:
- Data storage
- Consent
- Data subject rights processes
- Security documentation
- Legal and contractual review
We will report in more detail on our work in these areas in future blog posts. Please don’t hesitate to contact us if you have any questions in the meantime.