The EU General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, is the most important change in data privacy regulation in 20 years. GDPR will apply to all companies processing the personal data of all European Union residents, regardless of the company’s location. Researcher control and privacy are core principles for ORCID, and we have been following the evolution and implementation plan of the regulation closely.
Key changes include:
- strengthening the conditions for consent, such as requiring the use of clear and plain language and making it as easy for individuals to withdraw consent as to give it
- increased penalties for non-compliance
- expanded rights for individuals including access to data held about them and the right to be “forgotten”
- including data protection in system design, rather than as an after-thought
- Individual users can provide institutions with authenticated permission to update their ORCID records
- Individual users have full control of all permissions granted to institutions. The permission can be revoked at any stage.
- Using the ORCID API, an institution can securely update metadata in existing ORCID records
- Individuals can delete all items an institution has updated in their ORCID record and control the visibility of these items.
- The institution does not add entire publications to an individual’s ORCID record, only metadata
- Systems can only update ORCID records if they have been granted permission to do so by the individual record-holder; the Registry cannot import metadata from other system APIs without individual consent
Bolstering this positive feedback on our existing practices and policies, we have categorized the GDPR into five main areas that we will be working on:
- Data storage
- Data subject rights processes
- Security documentation
- Legal and contractual review
We will report in more detail on our work in these areas in future blog posts. Please don’t hesitate to contact us if you have any questions in the meantime.