GDPR and Law Libraries Revisited — Naomi Korn Associates

By Susan Doe

I have a legal background and have spent the past 30 years in the field. In my career, I spent time chairing the British and Irish Association of Law Librarians. This is a group of people that I have a huge affection for and hope to continue to support through my time with Naomi Korn Associates. Data Protection is something that affects the roles of all Law Librarians and this blog is hopefully helpful to this group of professionals as well as others looking for a snapshot of ongoing data protection responsibilities. This is the first in a series of blogs from me on related topics.

Sorry to disappoint you, but GDPR isn’t done. It’s an ongoing process, and above all, good business sense.

Law libraries in any organisation are not the highest users of personal data, which is of course what the GDPR and the Data Protection Act 2018 aim to protect, but you almost certainly keep some, and it is vital that you are aware of all that you have, how it is treated, and that it is recorded. Please find below my 6 top tips for Law Librarians regarding sound management of personal data.

1. At the heart of the GDPR’s transparency and accountability principles is the Record of Processing Activity (RoPA). You need to know what you keep in your organisation, and that your processing of personal data is recorded on it. It needs to be reviewed and updated regularly. The RopA records, amongst other information such as retention, the legal basis of all processing activity that your organisation carries out. The regulatory authority (for the UK, the Information Commissioner’s Office) can demand to see this document at any time.

2. As Law Librarians, you are best placed to understand how the Library operates and are in the best position to determine which of the six types of legal basis is most suitable for the particular processing activity. Without a lawful basis, the organisation does not have the right to process personal data. You need to be comfortable that you can back up your determination of the most appropriate legal basis if required to do so. The choice of legal basis also affects the rights that the data subject has over that data. It is vitally important.

3. I would recommend an audit of your processes that involve personal data – remember that this is any data that identifies an individual. If you did an audit in preparation for the GDPR, now is the time to think about reviewing it. A two-year review cycle is appropriate. The training of your team, ideally targeted at the work they do and the personal data that they work with, should also be revisited, in order to keep their awareness high. I would certainly advise that you involve all of your team in the audit, at whatever level. You may think things are done in a certain way, but they may know otherwise, especially if they are actually directly carrying out the work. You need to be accurate in the recording of your processes on the RoPA. Assumptions can and do cause issues.

4. Did you review your contracts in advance of GDPR coming into force? Particular language needed to be inserted and whilst some leeway may have been given by the authorities in light of the sheer amount of contracts, it is a long time since May 2018 and contracts that are currently in use should have the correct GDPR compliant clauses.

5. It is important to check in with your team as to whether they would recognise a Subject Access Request if one came their way (under GDPR they can be given to anyone) and what to do with it. Equally, whether they know what to do regarding reporting a data breach.

6. Development of any systems, new or existing, should have privacy measures assessed (via a Privacy Impact Assessment) and built in from the beginning – under the principle of Privacy by Design because like all things in data protection, this all boils down to good business practice as well as meeting the requirements of the law.

Naomi Korn Associates provides data protection training and consultancy. We can provide you with a comprehensive data protection audit regarding the activities of your organisation in light of the data protection regulations. If that is of interest please contact Patrick@naomikorn.com