LIBS preparation for GDPR

The new EU General Data Protection Regulation is upon us! Technically this new regulation is already in effect, however businesses around Europe who deal with the personal data of EU citizens. It affects anyone who offers goods and services, even free ones, such as the service offered by LIBS.

Recent research has suggested that many firms are wholly unprepared for the impact of GDPR (YouGov survey) which will be enforced from the 25th of May 2018. GDPR grants people new, enhanced rights and control over their data and puts new obligations on organisations that control or process that data. In particular, firms seem to be unaware of the substantial new fines that can be levied on non-compliant businesses and the rights that GDPR grants to data subjects, and how companies must comply with those rights. As we get closer to the 25th of May deadline, keep an eye out for a major ramp-up in media coverage and other news about GDPR as organisations rush to become compliant. Watch this space!

We, at LIBS, are very aware of the impact of GDPR on our society and our members, without whom we wouldn’t exist. That is why we wanted to take a moment to outline what we are doing to a) protect your data and b) ensure continuity of service and communications.

Protecting your data:

LIBS has grown tremendously since it was formed in 2009. We now have nearly 5,000 members signed up to our mailing list as well as several thousand followers on our social media channels (Facebook, Twitter and Linked In).

We store data relating to members in three places. We have a signup form on our website (li-bs.co.uk) which captures data from new members and we store this in a SQL database in Ireland provided by a company called Blacknight. Blacknight have an excellent reputation for providing hosting services, is 100% Irish owned and, critically, is ISO 27001 certified.

In order to provide better security to members during signup LIBS will be purchasing an SSL certificate and adding this to li-bs.co.uk. Most members will not see any real difference, except that they may see a “Secure” or padlock icon in their browser and the URL will use https rather than http. Under the hood, however, the connection between their browser and our website will be encrypted using either SSL (secure-socket-layer) or TLS (transport-layer-security). Until now we haven’t implemented these technologies as we were not asking for any sensitive data such as credit card data, but we will now move forward to give members the greatest confidence that their data is secure.

We also use a service called Mailchimp to issue our email communications to members. Mailchimp offer an easy to use service to create bulk emails to members advising of LIBS news (the email this newsletter is issued in is an example of a mailchimp email), upcoming events, etc. When members sign up on li-bs.co.uk we import this data into Mailchimp to process, making Mailchimp a data processor of LIBS.
The final service we use is Eventbrite, which we use for event signups. This service captures data directly on our behalf and we do not transfer the data back to li-bs.co.uk.

To ensure we are happy with the security offered by Mailchimp and Eventbrite we review their security and privacy policies annually.

Additionally, Mailchimp and Eventbrite are US based companies, so data may be stored in servers located in the United States. This transfer of data is covered by the EU-US Privacy Shield arrangement. If there are any changes to the Privacy Shield LIBS will, of course, review our use of these services and ensure any data sent to these companies for processing is returned to us and deleted.

We’ve recently updated our Privacy Policy and further detail can be found here. If you still wish to know more please contact data-protection@li-bs.co.uk

Ensuring continuity of service:

GDPR grants enhanced rights to data subjects, but it also enforces additional requirements and obligations for organisations. One of these requirements is ensuring that organisations have a legal basis for processing data. Many companies will have this already, e.g. your employer requires your bank account data so that they may pay you. However as LIBS is offered as a free service to members we require your explicit consent in order to store and process your data.

For this reason we have made changes to our signup form and now require new members to accept LIBS updated privacy policy and what we may use the data for. This should ensure new members have been appropriately informed of their rights and what their data is being used for and that new member signups are compliant with GDPR.

However many members would have signed up some years ago. This presents a major challenge to LIBS, and one which we must overcome to ensure we can continue to provide LIBS as a service to our members. This is why you may have seen messages on some of our mails this year checking if we have up-to-date and correct contact details for you and asking you to sign back up and accept the new privacy policy, etc. Over the next 6 months LIBS will be actively encouraging members to update their details. You may see multiple mails such as this appear from services you use over the next 6 months or so, and this is nothing to be alarmed about. However, in order to ensure our compliance with the GDPR, we will be deleting our old data on or before May 24th 2018. Of course we’ll continue to issue mails and push communications via our social media channels, but it would be great to ensure we can continue to contact our members via email, especially when we are opening registration to an event.

If you want to take action now to ensure that you continue to receive emails from LIBS post May 2018 please head over to the Join LIBS page where you can sign up and ensure we have your up-to-date details.