Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Using	
  Social	
  Business	
  So/ware	
  
and	
  being	
  compliant	
  with	
  EU	
  
data	
  protec9on	
  law	
  
Olaf	
...
Agenda:	
  	
  
Using	
  Social	
  Business	
  So/ware	
  and	
  being	
  
compliant	
  with	
  EU	
  data	
  protec9on	
 ...
About me
•  Studied	
  Business	
  Administra9on	
  and	
  	
  
Computer	
  Science	
  
•  Notes	
  Administrator	
  /	
  ...
Short	
  Disclaimer	
  J	
  	
  
I	
  am	
  not	
  a	
  lawyer	
  !	
  	
  
This	
  presenta9on	
  does	
  not	
  provide...
Introduc9on	
  EU	
  Data	
  Protec9on	
  Law	
  	
  
•  Data	
  Protec9on	
  within	
  the	
  EU	
  is	
  not	
  op9onal	...
Consequences	
  of	
  privacy	
  breaches	
  	
  
•  Consequences	
  depend	
  on	
  the	
  law	
  of	
  the	
  member	
  ...
Sony	
  fined	
  £250,000	
  a/er	
  millions	
  of	
  
UK	
  gamers’	
  personal	
  informa9on	
  
compromised	
  
	
  
• ...
ICO	
  fines	
  Bank	
  of	
  Scotland	
  	
  
•  “ICO	
  fines	
  Bank	
  of	
  Scotland	
  for	
  “unforgivable”	
  
breac...
Reputa9onal	
  damage	
  	
  
hVp://brianpennington.co.uk/2012/08/16/who-­‐has-­‐breached-­‐the-­‐data-­‐protec9on-­‐act-­...
Pharmacist	
  who	
  worked	
  for	
  West	
  
Essex	
  Primary	
  Care	
  Trust	
  
OK,	
  OK	
  	
  
please	
  explain	
  the	
  law	
  	
  
	
  
	
  	
  
The	
  difference	
  between	
  US	
  &	
  EU	
  	
  
•  Privacy	
  
–  ACT	
  Code	
  of	
  Fair	
  Informa9on	
  Prac9ce	...
Direc9ve	
  95/46	
  EC	
  
•  Member	
  states	
  must	
  transpose	
  direc9ve	
  
–  Germany:	
  Federal	
  Data	
  Pro...
Legal	
  Scope	
  of	
  Direc9ve	
  95/46	
  EC	
  	
  
•  Territorial	
  scope:	
  	
  
–  EU	
  Member	
  States	
  and	...
Processing	
  Personal	
  Data	
  	
  
•  Processing	
  =	
  „any	
  opera9on	
  ...	
  which	
  is	
  
performed	
  on	
 ...
Data	
  is	
  personal	
  	
  
if	
  they	
  relate	
  to	
  an	
  
iden9fied	
  or	
  at	
  least	
  
iden9fiable	
  person...
Examples	
  for	
  personal	
  data	
  
•  Name,	
  	
  	
  
•  Email	
  adress,	
  	
  
•  Postal	
  address,	
  	
  
•  ...
Personal	
  or	
  not	
  personal	
  ?	
  
•  Data	
  is	
  anonymised	
  if	
  they	
  no	
  longer	
  contain	
  
any	
 ...
Who	
  is	
  the	
  responsible	
  for	
  Data	
  
Protec9on	
  ?	
  
•  Responsible	
  party	
  is	
  called	
  „Controll...
Rules	
  for	
  processing	
  Personal	
  Data	
  	
  
Personal	
  Data	
  
should	
  not	
  be	
  
processed	
  	
  
exce...
Legi9mate	
  purpose	
  
Data	
  may	
  
be	
  
processed:	
  
When	
  the	
  processing	
  is	
  necessary	
  for	
  the	...
Summary	
  –	
  Data	
  Protec9on	
  	
  
•  In	
  prac9ce	
  the	
  issue	
  of	
  data	
  protec9on	
  refers	
  
to	
  ...
Part	
  II.	
  Implica9ons	
  for	
  using	
  social	
  
business	
  so/ware	
  	
  
•  Social	
  Business	
  So/ware	
  
...
Social	
  „Intelligence“	
  	
  
	
  
Social	
  „Intelligence“	
  	
  	
  	
  
Best	
  prac9ces	
  for	
  social	
  business	
  
•  Balancing	
  of	
  enterprise	
  vs	
  personal	
  interests	
  is	
 ...
Best	
  Prac9ce:	
  Recommenda9on	
  	
  
•  You	
  need	
  a	
  legal	
  permission	
  or	
  consent	
  of	
  the	
  
dat...
When	
  do	
  you	
  share	
  knowledge	
  ?	
  
„In	
  a	
  social	
  
enterprise,	
  your	
  
value	
  will	
  not	
  be...
Part	
  III.	
  Social	
  Business	
  in	
  the	
  cloud	
  	
  	
  
•  Social	
  Business	
  Systems	
  are	
  moving	
  ...
Responsibility	
  for	
  data	
  protec9on	
  	
  
in	
  the	
  cloud	
  ?	
  
Data	
  processing	
  in	
  
cloud	
  servi...
What	
  are	
  customers	
  responsibili9es	
  ?	
  
	
  
WriVen	
  contract	
  for	
  
carrying	
  out	
  data	
  
proces...
Processing	
  personal	
  data	
  in	
  the	
  cloud	
  
•  Processing	
  of	
  personal	
  data	
  needs	
  to	
  be	
  
...
Processing	
  personal	
  data	
  on	
  behalf	
  	
  
A	
  company	
  may	
  choose	
  another	
  organisa9on	
  to	
  pr...
TRANSPARENCY	
  is	
  No1	
  issue	
  in	
  
the	
  cloud	
  	
  
	
  	
  
Personal	
  Data	
  
should	
  not	
  be	
  
pr...
So	
  how	
  to	
  deal	
  with	
  cloud	
  providers	
  ?	
  
•  Cloud	
  provider	
  must	
  disclose	
  where	
  data	
...
Any	
  ques9ons	
  ?	
  
•  Olaf.Boerner@bcc.biz	
  
•  TwiVer:	
  @OlafBoerner	
  	
  
	
  
•  hVps://www.facebook.com/ob...
Exkurs	
  Cloud	
  and	
  Data	
  Transfer	
  	
  
•  Direc9ve	
  95/46	
  EC	
  prohibits	
  transfer	
  of	
  personal	
...
Data	
  Transfer	
  to	
  the	
  United	
  States	
  	
  
•  Safe	
  Harbor	
  Framework	
  
– Recognised	
  by	
  the	
  ...
Cloud	
  and	
  Data	
  Transfer	
  data	
  transfers	
  	
  
•  Countries	
  outside	
  EU	
  with	
  no	
  adequate	
  l...
Any	
  ques9ons	
  ?	
  
•  Olaf.Boerner@bcc.biz	
  
•  TwiVer:	
  @OlafBoerner	
  	
  
	
  
•  hVps://www.facebook.com/ob...
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Conne...
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Conne...
Upcoming SlideShare
Loading in …5
×

Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm

1,090 views

Published on

Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems

Published in: Software
  • Login to see the comments

  • Be the first to like this

Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm

  1. 1. Using  Social  Business  So/ware   and  being  compliant  with  EU   data  protec9on  law   Olaf  Boerner,  BCC     14.11.2014    
  2. 2. Agenda:     Using  Social  Business  So/ware  and  being   compliant  with  EU  data  protec9on  law   1.  Short  Introduc9on  to  EU  Data  Protec9on  Law   2.  Implica9ons  for  using  social  business   so/ware   3.  Data  protec9on  and  Cloud  based  social   systems  
  3. 3. About me •  Studied  Business  Administra9on  and     Computer  Science   •  Notes  Administrator  /  Developer  since  1994   •  CEO  and  Founder  of  BCC  in  1996     •  Working  as  project  manager  senior  architect     with  large  enterprise  customers   –  Securing  IBM  Social  Business  infrastructures     –  reducing  Total  cost  of  Ownership  of  IBM  Social  Business   Infrastructures  thru  automa9ng  Administra9on     •  IBM  Champion  in  2014     •  TwiVer:  @OlafBoerner  
  4. 4. Short  Disclaimer  J     I  am  not  a  lawyer  !     This  presenta9on  does  not  provide   any  legal  advices  
  5. 5. Introduc9on  EU  Data  Protec9on  Law     •  Data  Protec9on  within  the  EU  is  not  op9onal   – It’s  not  an  advice    or  best  prac9ce     – It’s  not  a  silly  german  idea     – it´s  the  law  !   – In  all  EU  Member  States  and  Non-­‐EU  Member   States  that  are  part  of  the  European  Economic   Area    
  6. 6. Consequences  of  privacy  breaches     •  Consequences  depend  on  the  law  of  the  member   state   •  Examples   –  Germany:  §  43  German  Federal  Protec9on  Act  up  to   300.000  EURO   –  UK:  ICO  up  to  £  500.000     •  Reputa9onal  damage  as  a  result  of  press  reports   etc   •  Many  contracts  allow  customers  and/or  supplier   to  quit  contracts    
  7. 7. Sony  fined  £250,000  a/er  millions  of   UK  gamers’  personal  informa9on   compromised     •  PlaySta9on  Network  Plaeorm  was  hacked  in  April   2011     •  An  ICO  inves9ga9on  found  that  the  aVack  could   have  been  prevented  if  the  so/ware  had  been   up-­‐to-­‐date,  while  technical  developments  also   meant  passwords  were  not  secure.     hVp://ico.org.uk/news/latest_news/2013/ico-­‐ news-­‐release-­‐2013      
  8. 8. ICO  fines  Bank  of  Scotland     •  “ICO  fines  Bank  of  Scotland  for  “unforgivable”   breach  of  Data  Protec9on  Act  in  August  2013,   following  repeated  instances  of  customer   details  being  sent  to  the  wrong  recipients.”   •  h"p://www.compu,ng.co.uk/ctg/news/ 2287087/ico-­‐fines-­‐bank-­‐of-­‐scotland-­‐for-­‐ unforgivable-­‐breach-­‐of-­‐data-­‐protec,on-­‐act    
  9. 9. Reputa9onal  damage     hVp://brianpennington.co.uk/2012/08/16/who-­‐has-­‐breached-­‐the-­‐data-­‐protec9on-­‐act-­‐in-­‐2012-­‐find-­‐the-­‐ complete-­‐list-­‐here/  
  10. 10. Pharmacist  who  worked  for  West   Essex  Primary  Care  Trust  
  11. 11. OK,  OK     please  explain  the  law          
  12. 12. The  difference  between  US  &  EU     •  Privacy   –  ACT  Code  of  Fair  Informa9on  Prac9ce  that  governs   the  collec9on,  maintenance,  use,  and  dissemina9on   of  personally  iden9fiable  informa9on  about   individuals  that  is  maintained  in  systems  of     •  Data  Protec,on   –  law  on  the  processing  of  data  on  iden9fiable  living   people.  It  is  the  main  piece  of  legisla9on  that  governs   the  protec9on  of  personal  data   Source:  wikepedia    
  13. 13. Direc9ve  95/46  EC   •  Member  states  must  transpose  direc9ve   –  Germany:  Federal  Data  Protec9on  Act   (Bundesdatenschutzgesetz)   –  UK:  ICO  Data  Protec9on  Act  and  Privacy  and   Electronic  Communica9ons  Regula9ons  2003   •  Implementa9on  varies  from  member  state  to   another     •  EU  plans  to  unify  data  protec9on  with  a  single   law  –  General  Data  Protec9on  Regula9on  
  14. 14. Legal  Scope  of  Direc9ve  95/46  EC     •  Territorial  scope:     –  EU  Member  States  and     –  Non-­‐EU  Member  States  that  are  part  of  the  European   Economic  Area     •  Iceland,     •  Norway  and     •  Liechtenstein   •  Material  scope:     –  processing  of     –  personal  data  
  15. 15. Processing  Personal  Data     •  Processing  =  „any  opera9on  ...  which  is   performed  on  personal  data,  whether  or  not   by  automa9c  means,  such  as  collec9on,   recording,  organiza9on,  storage,  adap9on  or   altera9on,  retrieval,  consulta9on,  ...(art  2b)   •  So  what  is  personal  data  ?    
  16. 16. Data  is  personal     if  they  relate  to  an   iden9fied  or  at  least   iden9fiable  person,  (data   subject)   if  addi9onal  informa9on   can  be  obtained  without   unreasonable  effort,   allowing  the  iden9fica9on   of  the  data  subject  
  17. 17. Examples  for  personal  data   •  Name,       •  Email  adress,     •  Postal  address,     •  bank  statements,     •  credit  card  numbers  …   •  Dynamic  IP  Number  ?    
  18. 18. Personal  or  not  personal  ?   •  Data  is  anonymised  if  they  no  longer  contain   any  iden9fiers   •  Anonymised  data  are  not  personal  data     •  Therefore  no  data  protec9on  law  applicable   •  Anonymise  Data  is  currently  this  only  best   prac9ce  to  convert  personal  data  instead  of   dele9ng  these  data  
  19. 19. Who  is  the  responsible  for  Data   Protec9on  ?   •  Responsible  party  is  called  „Controller“     –  Natural  or  ar9ficial  person,     –  public  authority,     –  agency  ..     –  which  determines  the  purposes  and  means  of  the   processing  of  personal  data   •  Must  be  related  to  EU  !     –  controller  is  established  or  operates  within  the  EU   –  controller  uses  equipment  located  inside  the  EU  to   process  personal  data  
  20. 20. Rules  for  processing  Personal  Data     Personal  Data   should  not  be   processed     except  certain   condi9ons  are   met:   Transparency   Propor9onality   Legi9mate   purpose    
  21. 21. Legi9mate  purpose   Data  may   be   processed:   When  the  processing  is  necessary  for  the   performance  of  or  the  entering  into  a  contract   When  the  processing  is  necessary  for   compliance  with  a  legal  obliga9on   When  processing  is  necessary  to  protect  the   vital  interest  of  the  data  subject  or     The  data  subject  has  given  his  consent  
  22. 22. Summary  –  Data  Protec9on     •  In  prac9ce  the  issue  of  data  protec9on  refers   to  all  businesses  which  electronically  process   data,   – from  wage  accoun9ng  of  their  own  employees,     – collec9ng  of  customer  data,     – storing  one  of  these  data  in  the  cloud   •  mainly  legi9ma9on  based     – on  performance  of  a  (future)  contract  or     – on  a  given  consent  by  data  subject  
  23. 23. Part  II.  Implica9ons  for  using  social   business  so/ware     •  Social  Business  So/ware   – So/ware  systems  that  primarily  func9ons  to  allow   SOCIAL  user  collabora9on  and  communica9on     •  Focus  to  people‘s  business    networks   – Profiles:  TINE  ‘s  Key  applica9on  colle9ng  HR  Data   and  CVs     – Blogs     – Ac9vi9es     – Status  and  Open  Calendar’s    
  24. 24. Social  „Intelligence“      
  25. 25. Social  „Intelligence“        
  26. 26. Best  prac9ces  for  social  business   •  Balancing  of  enterprise  vs  personal  interests  is   absolutely  mandatory     •  Consent  of  employees  might  be  required     –  German  legal  prac9ce:  simple  directory  of  experts   containing  name,  job  descrip9on  etc  are  considered   as  legi9mated  processing   –  For  directories  with  extended  func9onali9es  the   consent  of  each  data  subject  is  necessary   – a  consent  is  valid  for  the  dura,on  of  the   employment  only  
  27. 27. Best  Prac9ce:  Recommenda9on     •  You  need  a  legal  permission  or  consent  of  the   data  subject  to  be  on  the  safe  side   –  Employee   –  External  users   •  You  need  a  procedure  to  deal  with  users  leaving   company  or  social  network   –  They  might  leave  “peacefully”  BUT     –  Employee  consent  will  end  when  leaving  the  company     –  Ex  Employee  can  withdraw  their  consent  and/or   request  for  data  dele9on    
  28. 28. When  do  you  share  knowledge  ?   „In  a  social   enterprise,  your   value  will  not  be   what  you  know;  it   will  be  what  you   share.“  IBM  CEO   Ginni  RomeVy   You  need   confidence  and   trust  in  data   protec9on  to  share   knowledge    
  29. 29. Part  III.  Social  Business  in  the  cloud       •  Social  Business  Systems  are  moving  cloud  first     – IBM  Connec9ons  Cloud     – Office  365     Microso/  declared  to  stop  developing  On   Premise  Collabora9on  Products  a/er  2015     IBM  is  s9ll  providing  On  Premise  but  would  love   to  move  YOU  to  the  cloud     •  1.2  Billion  $  Investment  for  Cloud  business    
  30. 30. Responsibility  for  data  protec9on     in  the  cloud  ?   Data  processing  in   cloud  services  is   subject  to  European   and  na,onal  data   protec9on  law   Responsibility  for  data   protec9on  lies  with   the  customer  using   the  cloud  services  
  31. 31. What  are  customers  responsibili9es  ?     WriVen  contract  for   carrying  out  data   processing  on  behalf  is   mandatory   Determina9on  where  the   data  is  technically   processed   Cloud  provider  should  be   obliged  to  use  technical   infrastructure  within  the   European  Economic  Area  
  32. 32. Processing  personal  data  in  the  cloud   •  Processing  of  personal  data  needs  to  be   legi9mated  either     –  by  a  legal  permission  or     –  by  consent  of  the  data  subject   •  But     –  Legal  permission  is  limited  as  we  have  seen  already       –  Individual  Consent  of  every  cloud  user  might  be   difficult  to  obtain   •  Solu9on  ?    
  33. 33. Processing  personal  data  on  behalf     A  company  may  choose  another  organisa9on  to  process   data  on  its  behalf  :    data  processor   Company  remains  responsible  for  ensuring  its  processing   complies  with  data  protec9on  law   Where  a  data  processor  is  used  the  data  controller  must   ensure  that  suitable  arrangements  are  in  place  in  order  to   comply  with  data  protec9on  law  
  34. 34. TRANSPARENCY  is  No1  issue  in   the  cloud         Personal  Data   should  not  be   processed     Transparency   Propor9onality   Legi9mate   purpose    
  35. 35. So  how  to  deal  with  cloud  providers  ?   •  Cloud  provider  must  disclose  where  data   processing  takes  place   •  Cloud  provider  must  implement  appropriate   technical  and  organisa9onal  measures  in  order  to   protect  personal  data   •  Cloud  user  has  to  review  such  measures   •  Agreement  whether  cloud  provider  may  assign   subcontractors   –  Where  is  the  subcontractor  located,  where  is  the   data  ?  
  36. 36. Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/oboerner    
  37. 37. Exkurs  Cloud  and  Data  Transfer     •  Direc9ve  95/46  EC  prohibits  transfer  of  personal   data  to  Non-­‐EU  countries  that  do  not  meet  the   EU´s  adequacy  standard  for  data  protec9on   •  Within  the  EU  -­‐  adequate  level  of  data  protec9on   •  Outside  of  Europe  it  depends   –  Safe  third  countries:   •  Switzerland,  Canada,  Israel,  Argen9na,  New  Zealand,   Australia,  Uruguay     •  USA  (Safe  Harbor)     •  Andorra,  Faeroe  Islands,  Guernsey,  Isle  of  Man,  Jersey  
  38. 38. Data  Transfer  to  the  United  States     •  Safe  Harbor  Framework   – Recognised  by  the  EU  Commission  as  providing   adequate  protec9on   – Cloud  providers  in  the  US  can  sign  up  to  the  Safe   Harbor  Scheme   – A  list  of  organisa9ons  that  have  joined  Safe   Harbor  is  available  at   hVp://www.export.gov/safeharbor/   – It  may  be  advisable  to  combine  Safe  Harbor  and   EU  Standard  Contractual  Clauses  in  cases  of  doubt  
  39. 39. Cloud  and  Data  Transfer  data  transfers     •  Countries  outside  EU  with  no  adequate  level   of  data  protec9on:     – use  the  EU  Standard  Contractual  Clauses     •  hVp://ec.europa.eu/jus9ce/data-­‐protec9on/ document/interna9onal-­‐transfers/transfer/ index_en.htm     – Sufficient  safeguards  for  data  protec9on  such  as   •  Binding  Corporate  Rules  (BCR)   •  EU  Standard  contractual  clauses  (for  the  transport  of   personal  data  to  processors  established  in  third   countries)  
  40. 40. Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/oboerner    

×