EU General Data Protection Regulation (GDPR)

From 25 May 2018, the new European General Data Protection Regulation (GDPR) law will apply. This law enforces that personal data of EU citizens can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law. This also applies to non-EU based organisations. An overview of this new law can be found here https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

The definition of "personal data" is very broad: name, e-mail, location, ip, tweets, pictures, identifiers…

We need to assess how this impacts DSpace and implement improvements to make DSpace compliant with the GDPR. Otherwise organisations using DSpace will risk high EU fines.

Based on my initial reading, these aspects of DSpace are impacted:

• The information we capture for usage events in the DSpace log files and SOLR statistics core (see https://piwik.pro/blog/how-will-gdpr-affect-your-web-analytics-tracking/)
• The ability to delete an eperson account even if that eperson is the submitter of certain items.
• How DSpace stores or logs identifiers (ORCIDs, email, authority control records, ip addresses... )
• How DSpace does its session management by returning a session ID cookie. In the future this can only be done on explicit consent (see Piwik blog post).
• Support the right to erase private items linked to a specific eperson (We do not need to support erasure of public items because of the exception "archiving purposes in the public interest, scientific research, historical research or statistical purposes").