Earlier this year, the RAC undertook a project to research the General Data Protection Regulation (GDPR), the European Commission’s data protection legislation that took effect in May 2018, and produce a report on its implications for the RAC. In general, there’s a dearth of information and lack of clear legal interpretation related to archival collections data and the GDPR, particularly for U.S. archives, so we’ve made that report available on the RAC’s Documentation Site so that it might be useful for other institutions. In this post, I’ll introduce some concepts from the GDPR and share a few key resources on the topic of how it applies to archives.
What is the GDPR?
The GDPR is currently the most comprehensive and far-reaching privacy legislation in the world. It aims to protect the personal data of people living in the EU even if that data is processed by organizations outside of the EU. Its 11 chapters articulate specific rights aimed at giving people control over their personal data, emphasizing data protection “by design and by default.” It specifies that to collect personal data, there be a purpose and lawful basis, and that the subject must consent to the data collection. Once personal data is collected, the GDPR lays out how it should be managed: that it will be protected, it will not be kept longer than is required for the specified purpose, and how breaches must be reported. The GDPR is an important articulation of privacy principles and procedures, and in our context at the RAC, it’s been an important influence in thinking through our privacy practices more widely.
The GDPR in archives
When the GDPR came into effect, there was a lot of analysis to figure out how it would affect the ways companies and institutions collect, manage, and store data. We saw those cookie policy pop-ups appear everywhere trying to get our consent. In archives, there has been uncertainty around how this legislation applies to personal data in archival collections, and concern that it could undermine the archival mission. The GDPR does include certain exemptions for managing personal data for “archiving in the public interest” and “historical research” (Article 89(1) and (2), and further clarified in Recital 158), but there are still safeguards in place for data subjects.
The Report on the General Data Protection Regulation for the Rockefeller Archive Center includes a bibliography of useful resources, but I’ll point out a few that were key in building my understanding of the GDPR in relation to archival collections:
- European Archives Group’s Guidance on Data Protection for Archive Services - a fairly comprehensive starting point.
- The UK National Archives GDPR resources.
- Isabel Taylor’s GDPR white paper - takes a deep dive into how the legislation defines (or does not define) exceptions for archives, advocating that because of the law’s vagueness, archives should take an active role in lobbying to shape how it is interpreted and applied in order to safeguard existing archival appraisal methodologies.
As the GDPR settles, new privacy legislation is introduced, and courts weigh in on how they are to be applied, it’s important for archivists to be informed and part of the conversation to both protect archival collections, and to protect our users’ privacy.