Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm
•
0 j'aime•1,269 vues
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person. Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model. This session will give you an overview - about EU data protection regulations - its implications for using social business systems - special considerations for using cloud based social business systems
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm
Similaire à Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm (20)
Plus de BCC - Solutions for IBM Collaboration Software
Plus de BCC - Solutions for IBM Collaboration Software (20)
Dernier
Dernier (20)
Using Social Business Software and being compliant with EU data protection law - presented by Olaf Boerner at Social Connections VII Sockholm
- 1. Using Social Business So/ware and being compliant with EU data protec9on law Olaf Boerner, BCC 14.11.2014
- 3. Agenda: Using Social Business So/ware and being compliant with EU data protec9on law 1. Short Introduc9on to EU Data Protec9on Law 2. Implica9ons for using social business so/ware 3. Data protec9on and Cloud based social systems
- 4. About me • Studied Business Administra9on and Computer Science • Notes Administrator / Developer since 1994 • CEO and Founder of BCC in 1996 • Working as project manager senior architect with large enterprise customers – Securing IBM Social Business infrastructures – reducing Total cost of Ownership of IBM Social Business Infrastructures thru automa9ng Administra9on • IBM Champion in 2014 • TwiVer: @OlafBoerner
- 5. Short Disclaimer J I am not a lawyer ! This presenta9on does not provide any legal advices
- 6. Introduc9on EU Data Protec9on Law • Data Protec9on within the EU is not op9onal – It’s not an advice or best prac9ce – It’s not a silly german idea – it´s the law ! – In all EU Member States and Non-‐EU Member States that are part of the European Economic Area
- 7. Consequences of privacy breaches • Consequences depend on the law of the member state • Examples – Germany: § 43 German Federal Protec9on Act up to 300.000 EURO – UK: ICO up to £ 500.000 • Reputa9onal damage as a result of press reports etc • Many contracts allow customers and/or supplier to quit contracts
- 8. Sony fined £250,000 a/er millions of UK gamers’ personal informa9on compromised • PlaySta9on Network Plaeorm was hacked in April 2011 • An ICO inves9ga9on found that the aVack could have been prevented if the so/ware had been up-‐to-‐date, while technical developments also meant passwords were not secure. hVp://ico.org.uk/news/latest_news/2013/ico-‐ news-‐release-‐2013
- 9. ICO fines Bank of Scotland • “ICO fines Bank of Scotland for “unforgivable” breach of Data Protec9on Act in August 2013, following repeated instances of customer details being sent to the wrong recipients.” • h"p://www.compu,ng.co.uk/ctg/news/ 2287087/ico-‐fines-‐bank-‐of-‐scotland-‐for-‐ unforgivable-‐breach-‐of-‐data-‐protec,on-‐act
- 10. Reputa9onal damage hVp://brianpennington.co.uk/2012/08/16/who-‐has-‐breached-‐the-‐data-‐protec9on-‐act-‐in-‐2012-‐find-‐the-‐ complete-‐list-‐here/
- 11. Pharmacist who worked for West Essex Primary Care Trust
- 12. OK, OK please explain the law
- 13. The difference between US & EU • Privacy – ACT Code of Fair Informa9on Prac9ce that governs the collec9on, maintenance, use, and dissemina9on of personally iden9fiable informa9on about individuals that is maintained in systems of • Data Protec,on – law on the processing of data on iden9fiable living people. It is the main piece of legisla9on that governs the protec9on of personal data Source: wikepedia
- 14. Direc9ve 95/46 EC • Member states must transpose direc9ve – Germany: Federal Data Protec9on Act (Bundesdatenschutzgesetz) – UK: ICO Data Protec9on Act and Privacy and Electronic Communica9ons Regula9ons 2003 • Implementa9on varies from member state to another • EU plans to unify data protec9on with a single law – General Data Protec9on Regula9on
- 15. Legal Scope of Direc9ve 95/46 EC • Territorial scope: – EU Member States and – Non-‐EU Member States that are part of the European Economic Area • Iceland, • Norway and • Liechtenstein • Material scope: – processing of – personal data
- 16. Processing Personal Data • Processing = „any opera9on ... which is performed on personal data, whether or not by automa9c means, such as collec9on, recording, organiza9on, storage, adap9on or altera9on, retrieval, consulta9on, ...(art 2b) • So what is personal data ?
- 17. Data is personal if they relate to an iden9fied or at least iden9fiable person, (data subject) if addi9onal informa9on can be obtained without unreasonable effort, allowing the iden9fica9on of the data subject
- 18. Examples for personal data • Name, • Email adress, • Postal address, • bank statements, • credit card numbers … • Dynamic IP Number ?
- 19. Personal or not personal ? • Data is anonymised if they no longer contain any iden9fiers • Anonymised data are not personal data • Therefore no data protec9on law applicable • Anonymise Data is currently this only best prac9ce to convert personal data instead of dele9ng these data
- 20. Who is the responsible for Data Protec9on ? • Responsible party is called „Controller“ – Natural or ar9ficial person, – public authority, – agency .. – which determines the purposes and means of the processing of personal data • Must be related to EU ! – controller is established or operates within the EU – controller uses equipment located inside the EU to process personal data
- 21. Rules for processing Personal Data Personal Data should not be processed except certain condi9ons are met: Transparency Propor9onality Legi9mate purpose
- 22. Legi9mate purpose Data may be processed: When the processing is necessary for the performance of or the entering into a contract When the processing is necessary for compliance with a legal obliga9on When processing is necessary to protect the vital interest of the data subject or The data subject has given his consent
- 23. Summary – Data Protec9on • In prac9ce the issue of data protec9on refers to all businesses which electronically process data, – from wage accoun9ng of their own employees, – collec9ng of customer data, – storing one of these data in the cloud • mainly legi9ma9on based – on performance of a (future) contract or – on a given consent by data subject
- 24. Part II. Implica9ons for using social business so/ware • Social Business So/ware – So/ware systems that primarily func9ons to allow SOCIAL user collabora9on and communica9on • Focus to people‘s business networks – Profiles: TINE ‘s Key applica9on colle9ng HR Data and CVs – Blogs – Ac9vi9es – Status and Open Calendar’s
- 27. Best prac9ces for social business • Balancing of enterprise vs personal interests is absolutely mandatory • Consent of employees might be required – German legal prac9ce: simple directory of experts containing name, job descrip9on etc are considered as legi9mated processing – For directories with extended func9onali9es the consent of each data subject is necessary – a consent is valid for the dura,on of the employment only
- 28. Best Prac9ce: Recommenda9on • You need a legal permission or consent of the data subject to be on the safe side – Employee – External users • You need a procedure to deal with users leaving company or social network – They might leave “peacefully” BUT – Employee consent will end when leaving the company – Ex Employee can withdraw their consent and/or request for data dele9on
- 29. When do you share knowledge ? „In a social enterprise, your value will not be what you know; it will be what you share.“ IBM CEO Ginni RomeVy You need confidence and trust in data protec9on to share knowledge
- 30. Part III. Social Business in the cloud • Social Business Systems are moving cloud first – IBM Connec9ons Cloud – Office 365 Microso/ declared to stop developing On Premise Collabora9on Products a/er 2015 IBM is s9ll providing On Premise but would love to move YOU to the cloud • 1.2 Billion $ Investment for Cloud business
- 31. Responsibility for data protec9on in the cloud ? Data processing in cloud services is subject to European and na,onal data protec9on law Responsibility for data protec9on lies with the customer using the cloud services
- 32. What are customers responsibili9es ? WriVen contract for carrying out data processing on behalf is mandatory Determina9on where the data is technically processed Cloud provider should be obliged to use technical infrastructure within the European Economic Area
- 33. Processing personal data in the cloud • Processing of personal data needs to be legi9mated either – by a legal permission or – by consent of the data subject • But – Legal permission is limited as we have seen already – Individual Consent of every cloud user might be difficult to obtain • Solu9on ?
- 34. Processing personal data on behalf A company may choose another organisa9on to process data on its behalf : data processor Company remains responsible for ensuring its processing complies with data protec9on law Where a data processor is used the data controller must ensure that suitable arrangements are in place in order to comply with data protec9on law
- 35. TRANSPARENCY is No1 issue in the cloud Personal Data should not be processed Transparency Propor9onality Legi9mate purpose
- 36. So how to deal with cloud providers ? • Cloud provider must disclose where data processing takes place • Cloud provider must implement appropriate technical and organisa9onal measures in order to protect personal data • Cloud user has to review such measures • Agreement whether cloud provider may assign subcontractors – Where is the subcontractor located, where is the data ?
- 37. Any ques9ons ? • Olaf.Boerner@bcc.biz • TwiVer: @OlafBoerner • hVps://www.facebook.com/oboerner
- 38. Exkurs Cloud and Data Transfer • Direc9ve 95/46 EC prohibits transfer of personal data to Non-‐EU countries that do not meet the EU´s adequacy standard for data protec9on • Within the EU -‐ adequate level of data protec9on • Outside of Europe it depends – Safe third countries: • Switzerland, Canada, Israel, Argen9na, New Zealand, Australia, Uruguay • USA (Safe Harbor) • Andorra, Faeroe Islands, Guernsey, Isle of Man, Jersey
- 39. Data Transfer to the United States • Safe Harbor Framework – Recognised by the EU Commission as providing adequate protec9on – Cloud providers in the US can sign up to the Safe Harbor Scheme – A list of organisa9ons that have joined Safe Harbor is available at hVp://www.export.gov/safeharbor/ – It may be advisable to combine Safe Harbor and EU Standard Contractual Clauses in cases of doubt
- 40. Cloud and Data Transfer data transfers • Countries outside EU with no adequate level of data protec9on: – use the EU Standard Contractual Clauses • hVp://ec.europa.eu/jus9ce/data-‐protec9on/ document/interna9onal-‐transfers/transfer/ index_en.htm – Sufficient safeguards for data protec9on such as • Binding Corporate Rules (BCR) • EU Standard contractual clauses (for the transport of personal data to processors established in third countries)
- 41. Any ques9ons ? • Olaf.Boerner@bcc.biz • TwiVer: @OlafBoerner • hVps://www.facebook.com/oboerner