Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
Similar a Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm
Data protection janine paterson - direct marketing associationiof_events
Similar a Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm (20)
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm
1. Using
Social
Business
So/ware
and
being
compliant
with
EU
data
protec9on
law
Olaf
Boerner,
BCC
14.11.2014
2.
3. Agenda:
Using
Social
Business
So/ware
and
being
compliant
with
EU
data
protec9on
law
1. Short
Introduc9on
to
EU
Data
Protec9on
Law
2. Implica9ons
for
using
social
business
so/ware
3. Data
protec9on
and
Cloud
based
social
systems
4. About me
• Studied
Business
Administra9on
and
Computer
Science
• Notes
Administrator
/
Developer
since
1994
• CEO
and
Founder
of
BCC
in
1996
• Working
as
project
manager
senior
architect
with
large
enterprise
customers
– Securing
IBM
Social
Business
infrastructures
– reducing
Total
cost
of
Ownership
of
IBM
Social
Business
Infrastructures
thru
automa9ng
Administra9on
• IBM
Champion
in
2014
• TwiVer:
@OlafBoerner
5. Short
Disclaimer
J
I
am
not
a
lawyer
!
This
presenta9on
does
not
provide
any
legal
advices
6. Introduc9on
EU
Data
Protec9on
Law
• Data
Protec9on
within
the
EU
is
not
op9onal
– It’s
not
an
advice
or
best
prac9ce
– It’s
not
a
silly
german
idea
– it´s
the
law
!
– In
all
EU
Member
States
and
Non-‐EU
Member
States
that
are
part
of
the
European
Economic
Area
7. Consequences
of
privacy
breaches
• Consequences
depend
on
the
law
of
the
member
state
• Examples
– Germany:
§
43
German
Federal
Protec9on
Act
up
to
300.000
EURO
– UK:
ICO
up
to
£
500.000
• Reputa9onal
damage
as
a
result
of
press
reports
etc
• Many
contracts
allow
customers
and/or
supplier
to
quit
contracts
8. Sony
fined
£250,000
a/er
millions
of
UK
gamers’
personal
informa9on
compromised
• PlaySta9on
Network
Plaeorm
was
hacked
in
April
2011
• An
ICO
inves9ga9on
found
that
the
aVack
could
have
been
prevented
if
the
so/ware
had
been
up-‐to-‐date,
while
technical
developments
also
meant
passwords
were
not
secure.
hVp://ico.org.uk/news/latest_news/2013/ico-‐
news-‐release-‐2013
9. ICO
fines
Bank
of
Scotland
• “ICO
fines
Bank
of
Scotland
for
“unforgivable”
breach
of
Data
Protec9on
Act
in
August
2013,
following
repeated
instances
of
customer
details
being
sent
to
the
wrong
recipients.”
• h"p://www.compu,ng.co.uk/ctg/news/
2287087/ico-‐fines-‐bank-‐of-‐scotland-‐for-‐
unforgivable-‐breach-‐of-‐data-‐protec,on-‐act
13. The
difference
between
US
&
EU
• Privacy
– ACT
Code
of
Fair
Informa9on
Prac9ce
that
governs
the
collec9on,
maintenance,
use,
and
dissemina9on
of
personally
iden9fiable
informa9on
about
individuals
that
is
maintained
in
systems
of
• Data
Protec,on
– law
on
the
processing
of
data
on
iden9fiable
living
people.
It
is
the
main
piece
of
legisla9on
that
governs
the
protec9on
of
personal
data
Source:
wikepedia
14. Direc9ve
95/46
EC
• Member
states
must
transpose
direc9ve
– Germany:
Federal
Data
Protec9on
Act
(Bundesdatenschutzgesetz)
– UK:
ICO
Data
Protec9on
Act
and
Privacy
and
Electronic
Communica9ons
Regula9ons
2003
• Implementa9on
varies
from
member
state
to
another
• EU
plans
to
unify
data
protec9on
with
a
single
law
–
General
Data
Protec9on
Regula9on
15. Legal
Scope
of
Direc9ve
95/46
EC
• Territorial
scope:
– EU
Member
States
and
– Non-‐EU
Member
States
that
are
part
of
the
European
Economic
Area
• Iceland,
• Norway
and
• Liechtenstein
• Material
scope:
– processing
of
– personal
data
16. Processing
Personal
Data
• Processing
=
„any
opera9on
...
which
is
performed
on
personal
data,
whether
or
not
by
automa9c
means,
such
as
collec9on,
recording,
organiza9on,
storage,
adap9on
or
altera9on,
retrieval,
consulta9on,
...(art
2b)
• So
what
is
personal
data
?
17. Data
is
personal
if
they
relate
to
an
iden9fied
or
at
least
iden9fiable
person,
(data
subject)
if
addi9onal
informa9on
can
be
obtained
without
unreasonable
effort,
allowing
the
iden9fica9on
of
the
data
subject
18. Examples
for
personal
data
• Name,
• Email
adress,
• Postal
address,
• bank
statements,
• credit
card
numbers
…
• Dynamic
IP
Number
?
19. Personal
or
not
personal
?
• Data
is
anonymised
if
they
no
longer
contain
any
iden9fiers
• Anonymised
data
are
not
personal
data
• Therefore
no
data
protec9on
law
applicable
• Anonymise
Data
is
currently
this
only
best
prac9ce
to
convert
personal
data
instead
of
dele9ng
these
data
20. Who
is
the
responsible
for
Data
Protec9on
?
• Responsible
party
is
called
„Controller“
– Natural
or
ar9ficial
person,
– public
authority,
– agency
..
– which
determines
the
purposes
and
means
of
the
processing
of
personal
data
• Must
be
related
to
EU
!
– controller
is
established
or
operates
within
the
EU
– controller
uses
equipment
located
inside
the
EU
to
process
personal
data
21. Rules
for
processing
Personal
Data
Personal
Data
should
not
be
processed
except
certain
condi9ons
are
met:
Transparency
Propor9onality
Legi9mate
purpose
22. Legi9mate
purpose
Data
may
be
processed:
When
the
processing
is
necessary
for
the
performance
of
or
the
entering
into
a
contract
When
the
processing
is
necessary
for
compliance
with
a
legal
obliga9on
When
processing
is
necessary
to
protect
the
vital
interest
of
the
data
subject
or
The
data
subject
has
given
his
consent
23. Summary
–
Data
Protec9on
• In
prac9ce
the
issue
of
data
protec9on
refers
to
all
businesses
which
electronically
process
data,
– from
wage
accoun9ng
of
their
own
employees,
– collec9ng
of
customer
data,
– storing
one
of
these
data
in
the
cloud
• mainly
legi9ma9on
based
– on
performance
of
a
(future)
contract
or
– on
a
given
consent
by
data
subject
24. Part
II.
Implica9ons
for
using
social
business
so/ware
• Social
Business
So/ware
– So/ware
systems
that
primarily
func9ons
to
allow
SOCIAL
user
collabora9on
and
communica9on
• Focus
to
people‘s
business
networks
– Profiles:
TINE
‘s
Key
applica9on
colle9ng
HR
Data
and
CVs
– Blogs
– Ac9vi9es
– Status
and
Open
Calendar’s
27. Best
prac9ces
for
social
business
• Balancing
of
enterprise
vs
personal
interests
is
absolutely
mandatory
• Consent
of
employees
might
be
required
– German
legal
prac9ce:
simple
directory
of
experts
containing
name,
job
descrip9on
etc
are
considered
as
legi9mated
processing
– For
directories
with
extended
func9onali9es
the
consent
of
each
data
subject
is
necessary
– a
consent
is
valid
for
the
dura,on
of
the
employment
only
28. Best
Prac9ce:
Recommenda9on
• You
need
a
legal
permission
or
consent
of
the
data
subject
to
be
on
the
safe
side
– Employee
– External
users
• You
need
a
procedure
to
deal
with
users
leaving
company
or
social
network
– They
might
leave
“peacefully”
BUT
– Employee
consent
will
end
when
leaving
the
company
– Ex
Employee
can
withdraw
their
consent
and/or
request
for
data
dele9on
29. When
do
you
share
knowledge
?
„In
a
social
enterprise,
your
value
will
not
be
what
you
know;
it
will
be
what
you
share.“
IBM
CEO
Ginni
RomeVy
You
need
confidence
and
trust
in
data
protec9on
to
share
knowledge
30. Part
III.
Social
Business
in
the
cloud
• Social
Business
Systems
are
moving
cloud
first
– IBM
Connec9ons
Cloud
– Office
365
Microso/
declared
to
stop
developing
On
Premise
Collabora9on
Products
a/er
2015
IBM
is
s9ll
providing
On
Premise
but
would
love
to
move
YOU
to
the
cloud
• 1.2
Billion
$
Investment
for
Cloud
business
31. Responsibility
for
data
protec9on
in
the
cloud
?
Data
processing
in
cloud
services
is
subject
to
European
and
na,onal
data
protec9on
law
Responsibility
for
data
protec9on
lies
with
the
customer
using
the
cloud
services
32. What
are
customers
responsibili9es
?
WriVen
contract
for
carrying
out
data
processing
on
behalf
is
mandatory
Determina9on
where
the
data
is
technically
processed
Cloud
provider
should
be
obliged
to
use
technical
infrastructure
within
the
European
Economic
Area
33. Processing
personal
data
in
the
cloud
• Processing
of
personal
data
needs
to
be
legi9mated
either
– by
a
legal
permission
or
– by
consent
of
the
data
subject
• But
– Legal
permission
is
limited
as
we
have
seen
already
– Individual
Consent
of
every
cloud
user
might
be
difficult
to
obtain
• Solu9on
?
34. Processing
personal
data
on
behalf
A
company
may
choose
another
organisa9on
to
process
data
on
its
behalf
:
data
processor
Company
remains
responsible
for
ensuring
its
processing
complies
with
data
protec9on
law
Where
a
data
processor
is
used
the
data
controller
must
ensure
that
suitable
arrangements
are
in
place
in
order
to
comply
with
data
protec9on
law
35. TRANSPARENCY
is
No1
issue
in
the
cloud
Personal
Data
should
not
be
processed
Transparency
Propor9onality
Legi9mate
purpose
36. So
how
to
deal
with
cloud
providers
?
• Cloud
provider
must
disclose
where
data
processing
takes
place
• Cloud
provider
must
implement
appropriate
technical
and
organisa9onal
measures
in
order
to
protect
personal
data
• Cloud
user
has
to
review
such
measures
• Agreement
whether
cloud
provider
may
assign
subcontractors
– Where
is
the
subcontractor
located,
where
is
the
data
?
38. Exkurs
Cloud
and
Data
Transfer
• Direc9ve
95/46
EC
prohibits
transfer
of
personal
data
to
Non-‐EU
countries
that
do
not
meet
the
EU´s
adequacy
standard
for
data
protec9on
• Within
the
EU
-‐
adequate
level
of
data
protec9on
• Outside
of
Europe
it
depends
– Safe
third
countries:
• Switzerland,
Canada,
Israel,
Argen9na,
New
Zealand,
Australia,
Uruguay
• USA
(Safe
Harbor)
• Andorra,
Faeroe
Islands,
Guernsey,
Isle
of
Man,
Jersey
39. Data
Transfer
to
the
United
States
• Safe
Harbor
Framework
– Recognised
by
the
EU
Commission
as
providing
adequate
protec9on
– Cloud
providers
in
the
US
can
sign
up
to
the
Safe
Harbor
Scheme
– A
list
of
organisa9ons
that
have
joined
Safe
Harbor
is
available
at
hVp://www.export.gov/safeharbor/
– It
may
be
advisable
to
combine
Safe
Harbor
and
EU
Standard
Contractual
Clauses
in
cases
of
doubt
40. Cloud
and
Data
Transfer
data
transfers
• Countries
outside
EU
with
no
adequate
level
of
data
protec9on:
– use
the
EU
Standard
Contractual
Clauses
• hVp://ec.europa.eu/jus9ce/data-‐protec9on/
document/interna9onal-‐transfers/transfer/
index_en.htm
– Sufficient
safeguards
for
data
protec9on
such
as
• Binding
Corporate
Rules
(BCR)
• EU
Standard
contractual
clauses
(for
the
transport
of
personal
data
to
processors
established
in
third
countries)