GDPR Update

Byron Russell, Head of Ingenta Connect, Ingenta

We are making progress on our GDPR status. It’s a complex and time-consuming job – and of course delays other day-to-day tasks and new development – but it needs to be done. Latest developments are as follow:

  1. We have a matrix of “Data processors” – who, in the Ingenta Connect teams, have the right to process data, and what rights do they have in each case. A flowchart covering the likely intersection of PID and regular tasks is in place. Documentation is an essential part of GDPR backend processes, and this matrix and information will feed into that documentation.
  2. Institutions (and other third parties) are responsible for their own data processing and are outside our control. As there is a crossover with subscription agents, we will need to include a tick box to allow end users to opt in to having their PID processed for personal subscription activation purposes. 
  3. We have set up an audit log on the Test site to maintain a real-time audit of every time PID is accessed . There has been no investigation of data as yet, we are still in testing mode
  4. We STRONGLY RECOMMEND that publishers working with us set up a generic administration contact (e.g to avoid an additional exchange and update of PID.
  5. We will tag PID information as it comes in, using a unique Customer Reference Number (public key). This is a work in progresses and we are refreshing all customer IDs. It will include a delete publisher function  including all PID data connected to that publisher, and a new “delete me” function so all PID connected with individuals can be deleted on request (the “right to be forgotten”)
  6. We have created new registration forms for new institutional and individual users which will be in place shortly. All new library admins and personal users to be prompted to register when attempting to login; existing users will have the new registration forms pre-populated.
  7. We shall prompt returning users to comply with GDPR by ticking opt-in boxes and “I have read… T&Cs” before being allowed to engage with the service. T&Cs are being revised.
    We shall delete all data older than 7 years unless the client has an Alert or other automated service.
  8. We are building a data breach response plan (a) identifying if and when breach has occurred & reactive actions to be undertaken. This will be documented, along with a Statement of Compliance (data use and purpose, data storage, data protection & security, right to be forgotten) on IC / IO T&C and library / end user registration pages
  9. We MAY have to create a one-page addendum for publishers to confirm that, as far as possible, they are GDPR compliant in terms of all outgoing PID data.


