Innovative is dedicated to helping you deliver a library experience that builds better, smarter communities. This means that, in addition to ensuring superior client service and providing next-generation technologies, we are committed to helping protect your patrons’ data and privacy.
We invest heavily in security and compliance, partnering with library security teams to mitigate security risks. As a result of those investments, we achieved ISO 27001:2013 certification in 2016. A key tenet of ISO 27001 is continuous improvement and having a framework to proactively address new requirements. As good timing would have it, this was the same year the European Union (EU) adopted the General Data Protection Regulation (GDPR). Innovative’s Information Security Management Team has the tools, processes, and certifications to immediately begin GDPR planning to understand the impact to libraries, patrons, and our company. Here’s an update as we work towards the May 25, 2018, GDPR deadline.
Getting Ready for GDPR
Innovative engaged TrustArc, a leader in data privacy management, on a GDPR readiness assessment. In partnership with the Innovative Security team, TrustArc interviewed stakeholders across the company to assess how our practices and products adhere to GDPR requirements. The assessment focused on the following:
- Collection & Purpose Limitation
- Privacy Program Management
- Security for Privacy
- Data Breach Readiness & Response
- Individual Rights
The good news: TrustArc’s results showed Innovative’s ongoing focus and investment in security has paid off, and Innovative is already compliant in a majority of the key GDPR requirements. The readiness assessment further identified that full GDPR compliance requires both the Library and Innovative to comply with specific aspects of GDPR. In order to complete full compliance Innovative has allocated additional investment to implement the GDPR roadmap and will work with our Library partners.
Innovative GDPR Roadmap
The GDPR roadmap includes two areas that are most important to your library:
- Your requirements as a data controller. Innovative will support your GDPR compliance requirements through product updates and your library should review your policies and practices given your own compliance obligations as a data controller. You act as a data controller – an entity which collects and determines the use of personal data. Our applications have always allowed for the prompt search, export, and purging of Patron data but your library is ultimately responsible for controlling patron data. Innovative will support you by providing solutions that enable our Library Partners to mitigate risks associated with growing global privacy laws.
- Our requirements as a data processor. We act as a data processor – an entity which processes personal data on behalf of a data controller for our hosted clients within Innovative data centers.
Innovative has been working on implementing product and procedural changes to support your library’s responsibility as a data controller for months, and we are finalizing product roadmaps and scheduling the related development. We expect to implement enhancements to the ways our products enable you and your patrons to more easily access, store, and retrieve personal data. Some requirements may be met through procedural changes, others through development. Innovative is committed to supporting your GDPR compliance and will be prioritizing this work to mitigate any ascociated risks. Note that your institution’s relationship with the GDPR should be understood as you may have additional responsibilities as a data controller and data processor that aren’t addressed through Innovative’s technology and are the sole responsibility of the library as a data controller.
Innovative will share more details as they are available on a regular basis. Look for specifics in product release notes as well as notifications and privacy updates on our website, blog, and in the Supportal.