Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Using  Social  Business  So/ware   and  being  compliant  with  EU   data  protec9on  law   Olaf ...
Agenda:     Using  Social  Business  So/ware  and  being   compliant  with  EU  data  protec9on ...
About me •  Studied  Business  Administra9on  and     Computer  Science   •  Notes  Administrator  /  ...
Short  Disclaimer  J     I  am  not  a  lawyer  !     This  presenta9on  does  not  provide...
Introduc9on  EU  Data  Protec9on  Law     •  Data  Protec9on  within  the  EU  is  not  op9onal ...
Consequences  of  privacy  breaches     •  Consequences  depend  on  the  law  of  the  member  ...
Sony  fined  £250,000  a/er  millions  of   UK  gamers’  personal  informa9on   compromised     • ...
ICO  fines  Bank  of  Scotland     •  “ICO  fines  Bank  of  Scotland  for  “unforgivable”   breac...
Reputa9onal  damage     hVp://brianpennington.co.uk/2012/08/16/who-­‐has-­‐breached-­‐the-­‐data-­‐protec9on-­‐act-­...
Pharmacist  who  worked  for  West   Essex  Primary  Care  Trust  
OK,  OK     please  explain  the  law          
The  difference  between  US  &  EU     •  Privacy   –  ACT  Code  of  Fair  Informa9on  Prac9ce ...
Direc9ve  95/46  EC   •  Member  states  must  transpose  direc9ve   –  Germany:  Federal  Data  Pro...
Legal  Scope  of  Direc9ve  95/46  EC     •  Territorial  scope:     –  EU  Member  States  and ...
Processing  Personal  Data     •  Processing  =  „any  opera9on  ...  which  is   performed  on ...
Data  is  personal     if  they  relate  to  an   iden9fied  or  at  least   iden9fiable  person...
Examples  for  personal  data   •  Name,       •  Email  adress,     •  Postal  address,     •  ...
Personal  or  not  personal  ?   •  Data  is  anonymised  if  they  no  longer  contain   any ...
Who  is  the  responsible  for  Data   Protec9on  ?   •  Responsible  party  is  called  „Controll...
Rules  for  processing  Personal  Data     Personal  Data   should  not  be   processed     exce...
Legi9mate  purpose   Data  may   be   processed:   When  the  processing  is  necessary  for  the ...
Summary  –  Data  Protec9on     •  In  prac9ce  the  issue  of  data  protec9on  refers   to  ...
Part  II.  Implica9ons  for  using  social   business  so/ware     •  Social  Business  So/ware   ...
Social  „Intelligence“      
Social  „Intelligence“        
Best  prac9ces  for  social  business   •  Balancing  of  enterprise  vs  personal  interests  is ...
Best  Prac9ce:  Recommenda9on     •  You  need  a  legal  permission  or  consent  of  the   dat...
When  do  you  share  knowledge  ?   „In  a  social   enterprise,  your   value  will  not  be...
Part  III.  Social  Business  in  the  cloud       •  Social  Business  Systems  are  moving  ...
Responsibility  for  data  protec9on     in  the  cloud  ?   Data  processing  in   cloud  servi...
What  are  customers  responsibili9es  ?     WriVen  contract  for   carrying  out  data   proces...
Processing  personal  data  in  the  cloud   •  Processing  of  personal  data  needs  to  be   ...
Processing  personal  data  on  behalf     A  company  may  choose  another  organisa9on  to  pr...
TRANSPARENCY  is  No1  issue  in   the  cloud         Personal  Data   should  not  be   pr...
So  how  to  deal  with  cloud  providers  ?   •  Cloud  provider  must  disclose  where  data ...
Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/ob...
Exkurs  Cloud  and  Data  Transfer     •  Direc9ve  95/46  EC  prohibits  transfer  of  personal ...
Data  Transfer  to  the  United  States     •  Safe  Harbor  Framework   – Recognised  by  the  ...
Cloud  and  Data  Transfer  data  transfers     •  Countries  outside  EU  with  no  adequate  l...
Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/ob...
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Conne...
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Conne...
Próxima SlideShare
Cargando en…5
×

Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm

1.101 visualizaciones

Publicado el

Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems

Publicado en: Software
no profile picture user

  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm

  1. 1. Using  Social  Business  So/ware   and  being  compliant  with  EU   data  protec9on  law   Olaf  Boerner,  BCC     14.11.2014    
  2. 2. Agenda:     Using  Social  Business  So/ware  and  being   compliant  with  EU  data  protec9on  law   1.  Short  Introduc9on  to  EU  Data  Protec9on  Law   2.  Implica9ons  for  using  social  business   so/ware   3.  Data  protec9on  and  Cloud  based  social   systems  
  3. 3. About me •  Studied  Business  Administra9on  and     Computer  Science   •  Notes  Administrator  /  Developer  since  1994   •  CEO  and  Founder  of  BCC  in  1996     •  Working  as  project  manager  senior  architect     with  large  enterprise  customers   –  Securing  IBM  Social  Business  infrastructures     –  reducing  Total  cost  of  Ownership  of  IBM  Social  Business   Infrastructures  thru  automa9ng  Administra9on     •  IBM  Champion  in  2014     •  TwiVer:  @OlafBoerner  
  4. 4. Short  Disclaimer  J     I  am  not  a  lawyer  !     This  presenta9on  does  not  provide   any  legal  advices  
  5. 5. Introduc9on  EU  Data  Protec9on  Law     •  Data  Protec9on  within  the  EU  is  not  op9onal   – It’s  not  an  advice    or  best  prac9ce     – It’s  not  a  silly  german  idea     – it´s  the  law  !   – In  all  EU  Member  States  and  Non-­‐EU  Member   States  that  are  part  of  the  European  Economic   Area    
  6. 6. Consequences  of  privacy  breaches     •  Consequences  depend  on  the  law  of  the  member   state   •  Examples   –  Germany:  §  43  German  Federal  Protec9on  Act  up  to   300.000  EURO   –  UK:  ICO  up  to  £  500.000     •  Reputa9onal  damage  as  a  result  of  press  reports   etc   •  Many  contracts  allow  customers  and/or  supplier   to  quit  contracts    
  7. 7. Sony  fined  £250,000  a/er  millions  of   UK  gamers’  personal  informa9on   compromised     •  PlaySta9on  Network  Plaeorm  was  hacked  in  April   2011     •  An  ICO  inves9ga9on  found  that  the  aVack  could   have  been  prevented  if  the  so/ware  had  been   up-­‐to-­‐date,  while  technical  developments  also   meant  passwords  were  not  secure.     hVp://ico.org.uk/news/latest_news/2013/ico-­‐ news-­‐release-­‐2013      
  8. 8. ICO  fines  Bank  of  Scotland     •  “ICO  fines  Bank  of  Scotland  for  “unforgivable”   breach  of  Data  Protec9on  Act  in  August  2013,   following  repeated  instances  of  customer   details  being  sent  to  the  wrong  recipients.”   •  h"p://www.compu,ng.co.uk/ctg/news/ 2287087/ico-­‐fines-­‐bank-­‐of-­‐scotland-­‐for-­‐ unforgivable-­‐breach-­‐of-­‐data-­‐protec,on-­‐act    
  9. 9. Reputa9onal  damage     hVp://brianpennington.co.uk/2012/08/16/who-­‐has-­‐breached-­‐the-­‐data-­‐protec9on-­‐act-­‐in-­‐2012-­‐find-­‐the-­‐ complete-­‐list-­‐here/  
  10. 10. Pharmacist  who  worked  for  West   Essex  Primary  Care  Trust  
  11. 11. OK,  OK     please  explain  the  law          
  12. 12. The  difference  between  US  &  EU     •  Privacy   –  ACT  Code  of  Fair  Informa9on  Prac9ce  that  governs   the  collec9on,  maintenance,  use,  and  dissemina9on   of  personally  iden9fiable  informa9on  about   individuals  that  is  maintained  in  systems  of     •  Data  Protec,on   –  law  on  the  processing  of  data  on  iden9fiable  living   people.  It  is  the  main  piece  of  legisla9on  that  governs   the  protec9on  of  personal  data   Source:  wikepedia    
  13. 13. Direc9ve  95/46  EC   •  Member  states  must  transpose  direc9ve   –  Germany:  Federal  Data  Protec9on  Act   (Bundesdatenschutzgesetz)   –  UK:  ICO  Data  Protec9on  Act  and  Privacy  and   Electronic  Communica9ons  Regula9ons  2003   •  Implementa9on  varies  from  member  state  to   another     •  EU  plans  to  unify  data  protec9on  with  a  single   law  –  General  Data  Protec9on  Regula9on  
  14. 14. Legal  Scope  of  Direc9ve  95/46  EC     •  Territorial  scope:     –  EU  Member  States  and     –  Non-­‐EU  Member  States  that  are  part  of  the  European   Economic  Area     •  Iceland,     •  Norway  and     •  Liechtenstein   •  Material  scope:     –  processing  of     –  personal  data  
  15. 15. Processing  Personal  Data     •  Processing  =  „any  opera9on  ...  which  is   performed  on  personal  data,  whether  or  not   by  automa9c  means,  such  as  collec9on,   recording,  organiza9on,  storage,  adap9on  or   altera9on,  retrieval,  consulta9on,  ...(art  2b)   •  So  what  is  personal  data  ?    
  16. 16. Data  is  personal     if  they  relate  to  an   iden9fied  or  at  least   iden9fiable  person,  (data   subject)   if  addi9onal  informa9on   can  be  obtained  without   unreasonable  effort,   allowing  the  iden9fica9on   of  the  data  subject  
  17. 17. Examples  for  personal  data   •  Name,       •  Email  adress,     •  Postal  address,     •  bank  statements,     •  credit  card  numbers  …   •  Dynamic  IP  Number  ?    
  18. 18. Personal  or  not  personal  ?   •  Data  is  anonymised  if  they  no  longer  contain   any  iden9fiers   •  Anonymised  data  are  not  personal  data     •  Therefore  no  data  protec9on  law  applicable   •  Anonymise  Data  is  currently  this  only  best   prac9ce  to  convert  personal  data  instead  of   dele9ng  these  data  
  19. 19. Who  is  the  responsible  for  Data   Protec9on  ?   •  Responsible  party  is  called  „Controller“     –  Natural  or  ar9ficial  person,     –  public  authority,     –  agency  ..     –  which  determines  the  purposes  and  means  of  the   processing  of  personal  data   •  Must  be  related  to  EU  !     –  controller  is  established  or  operates  within  the  EU   –  controller  uses  equipment  located  inside  the  EU  to   process  personal  data  
  20. 20. Rules  for  processing  Personal  Data     Personal  Data   should  not  be   processed     except  certain   condi9ons  are   met:   Transparency   Propor9onality   Legi9mate   purpose    
  21. 21. Legi9mate  purpose   Data  may   be   processed:   When  the  processing  is  necessary  for  the   performance  of  or  the  entering  into  a  contract   When  the  processing  is  necessary  for   compliance  with  a  legal  obliga9on   When  processing  is  necessary  to  protect  the   vital  interest  of  the  data  subject  or     The  data  subject  has  given  his  consent  
  22. 22. Summary  –  Data  Protec9on     •  In  prac9ce  the  issue  of  data  protec9on  refers   to  all  businesses  which  electronically  process   data,   – from  wage  accoun9ng  of  their  own  employees,     – collec9ng  of  customer  data,     – storing  one  of  these  data  in  the  cloud   •  mainly  legi9ma9on  based     – on  performance  of  a  (future)  contract  or     – on  a  given  consent  by  data  subject  
  23. 23. Part  II.  Implica9ons  for  using  social   business  so/ware     •  Social  Business  So/ware   – So/ware  systems  that  primarily  func9ons  to  allow   SOCIAL  user  collabora9on  and  communica9on     •  Focus  to  people‘s  business    networks   – Profiles:  TINE  ‘s  Key  applica9on  colle9ng  HR  Data   and  CVs     – Blogs     – Ac9vi9es     – Status  and  Open  Calendar’s    
  24. 24. Social  „Intelligence“      
  25. 25. Social  „Intelligence“        
  26. 26. Best  prac9ces  for  social  business   •  Balancing  of  enterprise  vs  personal  interests  is   absolutely  mandatory     •  Consent  of  employees  might  be  required     –  German  legal  prac9ce:  simple  directory  of  experts   containing  name,  job  descrip9on  etc  are  considered   as  legi9mated  processing   –  For  directories  with  extended  func9onali9es  the   consent  of  each  data  subject  is  necessary   – a  consent  is  valid  for  the  dura,on  of  the   employment  only  
  27. 27. Best  Prac9ce:  Recommenda9on     •  You  need  a  legal  permission  or  consent  of  the   data  subject  to  be  on  the  safe  side   –  Employee   –  External  users   •  You  need  a  procedure  to  deal  with  users  leaving   company  or  social  network   –  They  might  leave  “peacefully”  BUT     –  Employee  consent  will  end  when  leaving  the  company     –  Ex  Employee  can  withdraw  their  consent  and/or   request  for  data  dele9on    
  28. 28. When  do  you  share  knowledge  ?   „In  a  social   enterprise,  your   value  will  not  be   what  you  know;  it   will  be  what  you   share.“  IBM  CEO   Ginni  RomeVy   You  need   confidence  and   trust  in  data   protec9on  to  share   knowledge    
  29. 29. Part  III.  Social  Business  in  the  cloud       •  Social  Business  Systems  are  moving  cloud  first     – IBM  Connec9ons  Cloud     – Office  365     Microso/  declared  to  stop  developing  On   Premise  Collabora9on  Products  a/er  2015     IBM  is  s9ll  providing  On  Premise  but  would  love   to  move  YOU  to  the  cloud     •  1.2  Billion  $  Investment  for  Cloud  business    
  30. 30. Responsibility  for  data  protec9on     in  the  cloud  ?   Data  processing  in   cloud  services  is   subject  to  European   and  na,onal  data   protec9on  law   Responsibility  for  data   protec9on  lies  with   the  customer  using   the  cloud  services  
  31. 31. What  are  customers  responsibili9es  ?     WriVen  contract  for   carrying  out  data   processing  on  behalf  is   mandatory   Determina9on  where  the   data  is  technically   processed   Cloud  provider  should  be   obliged  to  use  technical   infrastructure  within  the   European  Economic  Area  
  32. 32. Processing  personal  data  in  the  cloud   •  Processing  of  personal  data  needs  to  be   legi9mated  either     –  by  a  legal  permission  or     –  by  consent  of  the  data  subject   •  But     –  Legal  permission  is  limited  as  we  have  seen  already       –  Individual  Consent  of  every  cloud  user  might  be   difficult  to  obtain   •  Solu9on  ?    
  33. 33. Processing  personal  data  on  behalf     A  company  may  choose  another  organisa9on  to  process   data  on  its  behalf  :    data  processor   Company  remains  responsible  for  ensuring  its  processing   complies  with  data  protec9on  law   Where  a  data  processor  is  used  the  data  controller  must   ensure  that  suitable  arrangements  are  in  place  in  order  to   comply  with  data  protec9on  law  
  34. 34. TRANSPARENCY  is  No1  issue  in   the  cloud         Personal  Data   should  not  be   processed     Transparency   Propor9onality   Legi9mate   purpose    
  35. 35. So  how  to  deal  with  cloud  providers  ?   •  Cloud  provider  must  disclose  where  data   processing  takes  place   •  Cloud  provider  must  implement  appropriate   technical  and  organisa9onal  measures  in  order  to   protect  personal  data   •  Cloud  user  has  to  review  such  measures   •  Agreement  whether  cloud  provider  may  assign   subcontractors   –  Where  is  the  subcontractor  located,  where  is  the   data  ?  
  36. 36. Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/oboerner    
  37. 37. Exkurs  Cloud  and  Data  Transfer     •  Direc9ve  95/46  EC  prohibits  transfer  of  personal   data  to  Non-­‐EU  countries  that  do  not  meet  the   EU´s  adequacy  standard  for  data  protec9on   •  Within  the  EU  -­‐  adequate  level  of  data  protec9on   •  Outside  of  Europe  it  depends   –  Safe  third  countries:   •  Switzerland,  Canada,  Israel,  Argen9na,  New  Zealand,   Australia,  Uruguay     •  USA  (Safe  Harbor)     •  Andorra,  Faeroe  Islands,  Guernsey,  Isle  of  Man,  Jersey  
  38. 38. Data  Transfer  to  the  United  States     •  Safe  Harbor  Framework   – Recognised  by  the  EU  Commission  as  providing   adequate  protec9on   – Cloud  providers  in  the  US  can  sign  up  to  the  Safe   Harbor  Scheme   – A  list  of  organisa9ons  that  have  joined  Safe   Harbor  is  available  at   hVp://www.export.gov/safeharbor/   – It  may  be  advisable  to  combine  Safe  Harbor  and   EU  Standard  Contractual  Clauses  in  cases  of  doubt  
  39. 39. Cloud  and  Data  Transfer  data  transfers     •  Countries  outside  EU  with  no  adequate  level   of  data  protec9on:     – use  the  EU  Standard  Contractual  Clauses     •  hVp://ec.europa.eu/jus9ce/data-­‐protec9on/ document/interna9onal-­‐transfers/transfer/ index_en.htm     – Sufficient  safeguards  for  data  protec9on  such  as   •  Binding  Corporate  Rules  (BCR)   •  EU  Standard  contractual  clauses  (for  the  transport  of   personal  data  to  processors  established  in  third   countries)  
  40. 40. Any  ques9ons  ?   •  Olaf.Boerner@bcc.biz   •  TwiVer:  @OlafBoerner       •  hVps://www.facebook.com/oboerner    

×