implementing enterprise 2.0 within the eu

Implemen'ng Enterprise 2.0 Within the European UnionTransparency and Emergence vs. Privacy and Compliance

By Carl Frappaolo, Informa;on Architected, Inc.

and The 2.0 Adop;on Council

Sponsored by

Information Architected, Inc. Ten Post Office Square, 8th Floor Boston, MA 02109 T 617-933-9655 www.InformationArchitected.com

The 2.0 Adoption Council Austin, TX www.20AdoptionCouncil.com

Information Architected, Inc.

http://www.InformationArchitected.com

http://www.InformationArchitected.com

http://www.20AdoptionCouncil.com

http://www.20AdoptionCouncil.com

TABLE OF CONTENTS

Implementing Enterprise 2.0 Within The European Union Transparency And Emergence Vs. Privacy ..............................................................................................................................................................................And Compliance 3

......................................................................................................................................................................................Introduction 3

......................................................................................................................................................................Executive Overview 4

..................................................................................................................................................Scale And Scope Of The Issue 6

.................................................................................Focus On Policy And Do Not Let It Become A Roadblock 7

..................................................................................Not A New Issue - Leverage Approaches From The Past 7

...............................................Increased Reach And Speed Of Collaboration Increases Risk And Challenge 8

..........................Regional Culture Trumps Compliance And Corporate Culture Trumps Regional Culture 9

..........................................................................................Segmenting Advice And Practices By Corporate Culture 10

...........................................................................................................S: Strict Focus On Privacy And Security 10

............S/c: Primary Focus On Privacy And Security But A Need To Collaborate Is Almost As Important 10

.....................S/C: Primary Focus On Collaboration But Privacy And Security Are Somewhat Addressed 10

..............................................................................C: Collaboration Is Viewed As A Key Asset And Stressed 10

.........................................................................................................................................Key Challenges And Focal Points 12

........................................................................................................Competitive Pressure Mandates Adoption 12

....................................................................................................................................A Man Without A Country 13

......................................................................................Privacy - S-Type Organizations Take It Very Personal 15

........................................................................................Local Compliance Should Focus On Work Councils 15

...................................................................Germany; The Biggest Challenge And The Greatest Opportunity 16

...........................................................................................Technology Versus Policy/governance - Best Practices 18

...................................................................................................................................................Focus On Ethics 18

......................................................................................Incorporate Into The Greater Corporate Governance 18

.......................................................................................................................................................Keep It Simple 19

................................................................................................................................................Technology In Use 20

......................................................................................................................................The Irony Of Technology 21

.................................................................The Practicality And Effectiveness Of Technology Customization 22

© The 2.0 Adop;on Council

Implemen;ng Enterprise 2.0 Within the European Union; Transparency and Emergence vs. Privacy and Compliance Page 1

........................................................................................One Simple Approach To Customization - Branding 22

..............................................................................................................Opt-in - A Solution But Not A Panacea 23

................................................................................Opt-in May Not Overcome Regional Cultural Resistance 24

...........................................................................................................Sometimes Technology Is Underutilized 25

Data Privacy Requires A Cyclical Approach, Separate And Distinct From Legal Compliance And Security............................................................................................................................................................................ 26

.............................................................................................................................................And What Of Pilots? 28

.................................................................................................................Words Of Caution Concerning Pilots 29

........................................................................................................................Lessons Learned And Recommendations 31

................................................................................................................Advice From An S-Type Organization 31

................................................................................................................Advice From An S-Type Organization 31

............................................................................................................Advice From An S/C-Type Organization 31

.............................................................................................................Advice From An S/c-Type Organization 32

..................................................................................................................Advice From A C-Type Organization 32

..................................................................................................................Advice From A C-Type Organization 32

.............................................................................About The 2.0 Adoption Council And Information Architected 33

........................................................................................................................................................The 2.0 Adoption Council 33

.................................................................................................................Information Architected And Carl Frappaolo 34

......................................................................................................................................................Carl Frappaolo 34



Implementing Enterprise 2.0 Within the European UnionTransparency and Emergence vs. Privacy and Compliance

By Carl Frappaolo

INTRODUCTION

Great promises of Enterprise 2.0 are transparency and access. While this approach to openness is viewed

predominately as posi;ve and a way to promote increased collabora;on and knowledge exchange, there are

certain situa;ons in which security and privacy must be a part of an Enterprise 2.0 plaLorm. This is par;cularly the

case in the European Union (EU) where social profiles and other content are subject to privacy laws and

regula;ons.

In order to remain compe;;ve but also compliant, European organiza;ons, and global organiza;ons with offices in

Europe, need to balance knowledge access and social compu;ng with privacy. The focus of this report is this very

issue, and how organiza;ons that have been successful with Enterprise 2.0 ini;a;ves have dealt with privacy

issues, using not just a single approach but a range of approaches.

Based on discussions with members of The 2.0 Adop;on Council, this report provides a real‐word view of managing

privacy, including scoping the issue, iden;fying and quan;fying obstacles, lessons learned and best approaches,

hopefully paving the way for other organiza;ons that have been trepida;ous about embracing E2.0 because of

privacy issues.

Companies interviewed included:

CSCIntelOcéA global informa;on technology organiza;on that wishes to remain anonymousA large financial ins;tu;on based in Europe that wishes to remain anonymousA mul;na;onal oil and energy company that wishes to remain anonymous



EXECUTIVE OVERVIEW

• The degree of cri;cality associated with data privacy within the European Union is viewed differently

amongst affected organiza;ons.

• Specific locality within Europe and ver;cal industry have some effect on the perspec;ve of cri;cality, but

corporate culture exerts the greatest effect on perspec;ve.

• Organiza;ons should focus on policy over technology‐driven enforcement, but should not let data privacy

regula;ons become a roadblock to an Enterprise 2.0 ini;a;ve.

• Data privacy is an issue separate and dis;nct from security and legal compliance. It therefore should be

addressed separately and dis;nctly. But, create Enterprise 2.0 privacy policy within the context of exis;ng

privacy and security programs and doctrine.

• The heightened transparency and speed of real‐;me collabora;on offered through Enterprise 2.0, are at

the crux of why privacy needs to be specifically readdressed when introducing Enterprise 2.0..

• Policy and approaches to privacy should be developed within the context of your specific corporate

culture and business applica;ons.

• Keep policies at a high level and open to some interpreta;on, as Enterprise 2.0 itself and European privacy

laws are s;ll evolving.

• The compe;;ve pressure created by the emerging new business models enabled with Enterprise 2.0

dictates that organiza;ons adopt Enterprise 2.0, and thus confront associated privacy issues.

• For organiza;ons with a more relaxed culture concerning privacy, pilots that test Enterprise 2.0 technology

and permit rogue groundswell usage offer a simpler way to become acclimated with poten;al privacy

issues.

• Privacy laws in Europe are not universal. Privacy is regulated at a regional and local level, predominately

by Work Councils. Organiza;ons are required to support regional‐level regula;ons. But the virtual world

created through modern technology poses many vexing ques;ons, na;onal and corporate lines are

becoming blurred, making some exis;ng laws dated.

• Although several issues are connected to the issue of content privacy, the overriding issue of privacy in

Europe comes down to protec;ng the rights of the individual in order to prevent “snooping,“ i.e., prying

into the personal affairs, opinions, ac;ons and associa;ons of others. The social and personal data

associated with Enterprise 2.0 should be viewed as a personal asset and thus shared only under the strict

control of each individual.

• Bookmarking, tagging, social networking and vo;ng are among the more challenging Enterprise 2.0

ac;ons to manage from a privacy perspec;ve. Therefore, the more risk averse organiza;ons have chosen

not to u;lize them for now.



• Security‐based technology and features are far behind access and collabora;on features in Enterprise 2.0

products. This is par;ally a_ributed to two basic factors: most soaware is developed in North America

where privacy concerns are virtually non‐existent; the primary focus on social compu;ng in public (i.e.,

Web 2.0 which focuses on consumer behavior).

• To compensate for the lack of out‐of‐the‐box security tools and techniques, organiza;ons oaen need to

customize products. Customiza;on can make some projects cost‐prohibi;ve.

• Opt‐in func;onality is a popular and somewhat simple way to handle many data privacy concerns, but it is

not a panacea. Many challenges are associated with how specifically to u;lize opt‐in.

• Monitoring and tracking usage of Enterprise 2.0 environments is oaen executed manually, despite the

availability of audit reports in some products. These reports themselves some;mes pose a privacy risk.

• Data privacy within an Enterprise 2.0 ini;a;ve is best addressed in a cyclical ongoing manner. It is not a

“one and done” decision.

• Pilo;ng can be used as an effec;ve way to introduce Enterprise 2.0 into an organiza;on, but certain

caveats apply in order to best leverage them.

• Best prac;ces and lessons learned related to Enterprise 2.0 are dependent upon the corporate culture of

the organiza;on, especially its overall approach to and tolerance of risk.



SCALE AND SCOPE OF THE ISSUE

The issue of balancing transparency and open collabora;on within an Enterprise 2.0 implementa;on, with the data

privacy laws and regula;ons with the European Union (EU), is obviously an issue that is relevant only to those

organiza;ons that are bound by EU jurisdic;on. As one interviewee stated:

“There is an implicit assump1on being made here [the focus of this research]. EU privacy issues are only relevant for either a European company or a global company, a mul1‐na1onal company with a presence in Europe.”

But interviewees were quick to point out that the the degree of cri;cality among “affected” organiza;ons varies

widely. Aftudes ranged from privacy being a concern but not cri;cal, to privacy being extremely cri;cal to the

strategy and deployment of Enterprise 2.0 within the organiza;on. The scale of the issue is not as clear cut. This is

further reflected by comments made by interviewees concerning the scope of the issue:

“I cannot imagine a global company thinking that this isn’t cri1cal. Did it stop us? No. But we did have to consider this group [European privacy] as important as our security and legal stakeholders.”

“You have to deal with this [privacy versus openness]. Times have changed.”

“I work in Europe but this has not been a big deal for us. In some other countries I hear it has been, but not in my country.”

“This is the biggest unspoken hurdle companies will face in this area.”

“The issue of privacy [in the context of Enterprise 2.0] arose immediately. The value of collabora1on was appreciated, but first and foremost was the issue of exposure.”

“We had to embrace this [data privacy], but it was not cri1cal.”

Immediately the range of foci on this issue arises. There is no single “truth” or approach to the cri;cality of privacy

as part of an Enterprise 2.0 ini;a;ve across Europe. We found that this is the case for many reasons, based on

issues such as regionality (specific loca;on within Europe) and industry, but most importantly, corporate culture. It

is interes;ng to note that no correla;on was found based on whether or not the organiza;on is headquartered in

Europe, or a mul;‐na;onal organiza;on with employees in Europe, but headquartered elsewhere (e.g., the United

States).

As stated, and discussed in more detail later in this report,the degree to which an organiza;on sees privacy as a cri;cal issue affec;ng success with Enterprise 2.0 is first and foremost a func;on of that organiza;on’s respec;ve

culture, which is interes;ngly enough not in any way related to na;onal affilia;on of the corporate headquarters.



Focus on Policy and Do Not Let It Become a Roadblock

As a result, the complexity of approaches to manage privacy differs from organiza;on to organiza;on. One

commonality among all interviewees was agreement that no ma_er the approach taken, it needs to be

documented official policy. (More detail regarding approaches to governance policy crea;on is discussed later in

this report.)

But no ma_er the degree of cri;cality these organiza;ons placed on privacy, they all succeeded in managing it. All

agreed that privacy issues were not even remotely close to a show‐stopper for their Enterprise 2.0 ini;a;ve. By the

;me an organiza;on has decided to embrace Enterprise 2.0, issues such as security and privacy, even within the EU

where privacy is closely governed, there is a willingness and inclina;on to make the effort to manage the issue.

Not a New Issue - Leverage Approaches From the Past

One of the reasons cited for the fact that managing privacy is not a show‐stopper is the fact that security and

privacy are not new issues for these organiza;ons.

“This issue [data privacy] in Europe is older than the advent of Enterprise 2.0. If we are tracking informa1on about individuals then we know we have to no1fy them about it.”

Personal data privacy dates back to the 1950s with the European Conven;on on Human Rights and Fundamental

Freedoms. In the early 1970s, resolu;ons were passed in Europe which established principles for the protec;on of

personal data in automated data banks in the private sector and the public sector. More recently, in 1981, the

Council of Europe for the Protec;on of Individuals with regard to Automa;c Processing of Personal Data

established a legally binding instrument concerning data protec;on. Thus European and mul;na;onal

organiza;ons have been dealing with privacy issues and online content for years, and this experience is easily

leveraged within the context of an Enterprise 2.0 ini;a;ve. As one interviewee stated:

“We certainly benefiOed from our experience in the past. One of the things we talk about is that we've gone around the block a couple of 1mes on this,. We've been working on a global portal strategy for over a decade, trying to find the best way to solve all these [privacy] problems. So all of that stuff was there, all of that history was there.”

Similar experience with pre‐Enterprise 2.0 ini;a;ves such as knowledge management have also been leveraged to

facilitate and expedite approaches to managing privacy within Enterprise 2.0 ini;a;ves.

“We have had a knowledge management ini1a1ve for 10+ years. It has certainly paved the way for the Enterprise 2.0 project. We did not have to start from scratch [concerning security and collabora1on]. It is not necessary to have this background, but it helps.”

For these reasons, interviewees agreed that governance concerning Enterprise 2.0 should not be developed anew,

nor as a silo. One common prac;ce that council members shared was addressing Enterprise 2.0‐specific privacy

concerns within the context of exis;ng corporate governance policy and documents.



http://en.wikipedia.org/wiki/European_Convention_on_Human_Rights




http://epic.org/privacy/intl/coeconvention/




“One of the ques1ons we asked ourselves was ‘should we use the same policies that we have for our exis1ng intranets and internets?,’ and we came back saying,‘Yes.’ Actually we had all the policies already in place that should govern this, our code of conduct and our computer and internet use guidelines. This is yet one more tool and there are no differences in expressed behavior between this and talking to a fellow employee on the phone. We didn't have to re‐invent the wheel.”

This is not to say that prior experiences make privacy in Enterprise 2.0 a non‐issue. While not “re‐inven;ng the

wheel,” interviewees spoke of the need for tweaking and modifying exis;ng prac;ces and policies. While privacy

and compliance issues do not fundamentally change with Enterprise 2.0, certain characteris;cs unique to

Enterprise 2.0 do warrant a re‐focus on these issues.

Increased Reach and Speed of Collaboration Increases Risk and Challenge

Interviewees agreed that it is the heightened transparency associated with web‐based access and speed of real‐

;me collabora;on offered,that necessitate specifically re‐addressing privacy and security.

“Technology and business prac1ces are graying na1onal, regional and corporate boundaries.”

“I think the issue is really changing. We need to protect our intellectual property, but on the other hand, we see all around us that the business model is changing and there is value in Web 2.0‐like func1onality.”

“ … we found out that actually there are no new risks that get introduced with social media or Enterprise 2.0. What does get introduced is more opportunity for risks that we already are familiar with to occur. So it's good news / bad news. The good news is that we know how to handle these things, that these are not strangers in the darkness. We've handled them before. The bad news is we now have some of them poten1ally popping up more frequently.“

The fact that Enterprise 2.0 makes it “easy” to blur lines between na;ons further complicates the issue of privacy

within the EU, because as all those interviewed spoke of, there is no single set of rules for the EU, but many. EU‐

wide rules and policies are high‐level and generalized. Mul;‐na;onal and European organiza;ons must also comply

with na;onal/regional regula;ons. Privacy controls and regula;ons are different from country to country, and as

such must be managed at a local level. (See best prac;ces and primary concerns sec;ons.) It was also agreed that

Germany and Austria represent the greatest or most stringent challenges.

“This is what makes it so complex. There is not one set of regula1ons; the issue grows complex very quickly.”

The Data Protec;on Direc;ve implemented in 1995 by the European Commission provides general guidelines and

con;nues to give great autonomy to local authori;es. Moreover the guidelines provided are greatly subject to

interpreta;on. In fact, the Organisa;on for Economic Co‐opera;on and Development (OECD) in addressing the

direc;ve stated, “These guidelines should be regarded as minimum standards which are capable of being

supplemented by addi;onal measures for the protec;on of privacy and individual liber;es.”



http://en.wikipedia.org/wiki/Data_Protection_Directive

http://en.wikipedia.org/wiki/Data_Protection_Directive

http://en.wikipedia.org/wiki/Organisation_for_Economic_Co-operation_and_Development

http://en.wikipedia.org/wiki/Organisation_for_Economic_Co-operation_and_Development

http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html)




Regional Culture Trumps Compliance and Corporate Culture Trumps Regional Culture

Execu;on of an Enterprise 2.0 ini;a;ve in a corpora;on that spans mul;ple countries inevitably has to confront the

larger looming issue of a world society built in the virtual world of the Internet. Are individual ci;zens of the

country in which they physically reside, or of the global organiza;on in which they work?

Each organiza;on has a dis;nct, different culture, and that culture spans mul;ple countries. The complexity of

governing privacy and security within an Enterprise 2.0 ini;a;ve that involves European individuals is thus not

grounded in just the ability of technology to blur clear lines of demarca;on, nor the existence of EU direc;ves, but

the poten;al dichotomy of regional aftudes and prac;ces. And while these exist between fellow EU na;ons, the

situa;on is further exasperated by mul;‐na;onals that include na;ons such as the United States.

“EU law is tricky, even amongst Europeans there is no consensus concerning privacy, but the situa1on is even worse with American teams. The issue of privacy has no meaning to them. They do not get it and cannot see why all this maOers.”

But while EU‐wide and regional laws ma_er, and regional aftudes and culture ma_er, all interviewees agreed, either explicitly or implicitly, that their respec;ve corporate culture was the most dominate influence on how they

address the issue of data privacy. One interviewee put it most succinctly:

“I think the answer to your ques1on is very context‐dependent because it [ways to manage privacy] depends almost en1rely on the culture of the organiza1on that you're talking about.”



SEGMENTING ADVICE AND PRACTICES BY CORPORATE CULTURE

Based on these observa;ons, it became clear that any advice, opinions or prac;ces concerning management of

privacy within an Enterprise 2.0 ini;a;ve have to be couched within the corporate culture from which they

emanate. For this reason, based on observa;ons made during the interview session, we created a taxonomy for the

organiza;ons interviewed. Each respec;ve organiza;ons was iden;fied as exhibi;ng one of four corporate cultures

listed below. Going further in this report, all quoted observa'ons and opinions are preceded with these labels so

that the reader can appreciate the culture associated with these aTtudes and prac'ces. The taxonomy tags

used are:

S: Strict Focus on Privacy and Security

These organiza;ons put heavy emphasis on privacy and security., Privacy and security are fundamental and integral

components of virtually all corporate projects, and the corporate lexicon. Legal counsel is a key component of the

project team. Security and privacy are managed ;ghtly via policy and technology. Security concerns and policy

trump ease of use, emergence and transparency.

S/c: Primary Focus on Privacy and Security but a Need to Collaborate is Almost as Important

These organiza;ons are constantly and consistently aware of both requirements ‐ to maintain security and privacy,

as well as to foster open collabora;on, but with a primary or stronger inclina;on towards security. “Official”

policies mandate adherence to privacy‐oriented prac;ces, but there is high tolerance for “unofficial” skunk works

and experimenta;on with technology programs with li_le concern for privacy compliance.

s/C: Primary focus on Collaboration but Privacy and Security are Somewhat Addressed

These organiza;ons are very similar to S/c‐type organiza;ons, but where within an S/c‐type organiza;on skunkworks and experimenta;on are unofficially sanc;oned, in a s/C organiza;on they are officially sanc;oned.

Corporate policies concerning privacy and security are purposely lea at a high level, providing much individual

autonomy and self‐governance to “do the right thing.”

C: Collaboration is Viewed as a Key Asset and Stressed

Employees are not only given autonomy, but are encouraged to experiment. New technologies and prac;ces are

almost always introduced by small teams whose work is then spread through a groundswell. The focus of such

organiza;ons is on knowledge exchange. There is a high degree of reliance of individual ethics to monitor and

control privacy. These organiza;ons have legal departments and governance policies, but they look to legal as a last

step. Li_le focus is placed on the physical loca;on of employees and content. In most cases, the value added

through open collabora;on has veto power over privacy and IT security issues, unless deemed absolutely

necessary.



It should be stressed that despite the cultural differences, each and every organiza;on interviewed has succeeded

in delivering and maintaining a strong and successful Enterprise‐2.0 ini;a;ve.

In addi;on to this commonality, interviewees also shared a “must do” aftude. Despite where corporate culture

posi;oned these organiza;ons at the start of the Enterprise 2.0 project, for each, security and privacy was a real

issue. It is the aggressiveness with which management of privacy was addressed that differs. The level to which and

aggressiveness with which they address privacy concerns differs, but they all managed to move beyond it in a

manner that allowed them to proceed with delivering and leveraging the benefits of Enterprise 2.0. From this

perspec;ve, they speak from a posi;on of authority, having lived the experience.



KEY CHALLENGES AND FOCAL POINTS

As introduced in the previous sec;on of this report, striking a balance between emerging business models that are

predicated upon open collabora;on and emergence, and privacy/security regula;ons and laws designed to protect

individuals and corpora;ons, is the fulcrum of virtually every Enterprise 2.0 ini;a;ve.

Global real‐;me collabora;on, social and emergent compu;ng are quickly becoming mandates for compe;;ve

parity. On the other hand, especially in Europe, there is The Council of Europe that has stated, “Since the

conclusion of the Conven;on in 1981, the society has been completely transformed, in par;cular due to personal

computers and the Internet which permit any individual or organiza;on to carry out ‘automa;c processing of data’.

In the mean;me, social and economic development has led to even more complex forms of organiza;on,

management and produc;on, based on powerful processing systems. In this context, the individual becomes an

ac;ve agent of the ‘informa;on society’ ‐ while, at the same ;me, his privacy is subjected to even greater

interference by the informa;on systems of numerous public and private services ‐ banks, credit services, social

security, social assistance, insurance, police, medical care.” One interviewee indicated the magnitude of this issue:

s/C ‐ “Both [security/privacy and collabora1on] occur at either a superficial or formal level. You cannot escape it.. How we balance the legi1mate demand for appropriate privacy and corporate security against the need for knowledge exchange to support an effec1ve and efficient community is the defining issue of the 21st century.’ [emphasis added}

As was also introduced in the previous sec;on of this report, this high‐level issue is not new to mul;‐na;onal and

European organiza;ons. As stated, the advent of Enterprise 2.0 has not changed risk per se, but increased its

poten;al breadth and rate of occurrence.

Going deeper into this basic challenge, organiza;ons focus predominately on two sub‐issues: compe;;ve pressure,

and a need to address local authori;es. The la_er is further complicated by the blurring of na;onal and boundaries, described above, and referenced by The Council of Europe as individuals become agents of the

informa;on society.

Competitive Pressure Mandates Adoption

The advent of Enterprise 2.0 is not just the introduc;on of new technology and capabili;es into the organiza;on,

but the introduc;on of new business models. Organiza;ons cannot really afford to ignore the issue. To do so is

likely a prescrip;on for losing significant market share and possible elimina;on from the market.

s/C ‐ “We feel that there are more risks in inac6on [emphasis added], than there are risks in actual ac1on of driving Enterprise 2.0.”

Apprecia;ng that the interviewees are all successful Enterprise 2.0 prac;;oners, it is nonetheless important to

point out that the “must‐do” aftude referenced in the previous sec;on stems from this belief that from a



http://www.coe.int

http://www.coe.int

compe;;ve business perspec;ve, Enterprise 2.0 cannot be ignored. The scales are ;pping in favor of collabora;on

versus privacy.

C ‐ “The interpreta1on of what can be done with personal informa1on is certainly open for interpreta1on. We treat all countries ethically and equally. For us the local laws have been trumped by the greater good of the business.”

s/C ‐ “What I see happening at the superficial, ‘official’ level is much more the former [collabora1on and openness]. Where there are formal, official conversa1ons happening on a country by country basis [note the focus on regionalism] within a company like mine that are essen1ally nego1a1ons around ‘how can we use this?’ or, ‘how can we do this?’, or ‘do we even want to do this in the context of exis1ng laws and regula1ons and what not?’ that each region may have.”

For this reason, all interviewees spoke of addressing the privacy issue virtually exclusively from a risk mi;ga;on

perspec;ve. Compliance is typically couched in terms of the things that could go wrong and what is the lost

poten;al value if compliance is strictly enforced. This is how it is viewed in nearly every case (except for C‐type

organiza;ons). You weigh risk against value via a “what if?” test.

S/c ‐ “The first thing that was done is, myself and the Chief Informa1on Security Officer conducted a security risk. We have a formalized process that's very robust. At the same 1me, we did it for our external online social media efforts from marke1ng. So in one fell swoop, for several days, a bunch of us sat down and did "what if" scenarios and determined what kind of a risk from a legal, financial, security, compliance, exist all across the board and we scored them. Our goal was to enable usage of technology to the highest degree prac1cal.”

s/C ‐ “Regula1ons are couched in terms of ‘If we do this then what can go wrong? What is the poten1al damage if that happens?’.”

A Man Without a Country

As discussed above, the advent of Enterprise 2.0 technologies, coupled with a universal plaLorm (i.e., the Internet)

and 24x7 access (i.e., wireless and mobile devices), has created an unprecedented work environment. The lines

between country, corpora;on, personal and corporate life have been blurred. Yet regula;ons are very much

associated at regional levels. A single official protocol for Europe does not exist. Regionalism is a very large and real

issue that organiza;ons embracing Enterprise 2.0 have to contend with on many levels. Enterprise 2.0 prac;;oners

need to balance not only local regula;ons, but local demand, habits and inclina;ons. Regionalism is a double‐

edged sword.

s/C ‐ “The adop1on rate in Germany is lower than it is elsewhere because of greater vigilance on privacy and a regional propensity to take privacy seriously, but that's offset by the fact that the early adopters in Germany are so ac1ve that they actually over‐compensate in a sense ... I think that the head‐count in Germany makes up maybe 3% of the total head‐count, but in terms of ac1vity they're something like 5%. Despite the fact that, less than 20% of Germans are using the system, those Germans who are using the plaiorm [use it] 2% more...”



The opinions and experiences of this individual from a s/C‐type organiza;on was echoed by most other

interviewees. Even in cases where phased rollouts are used, the tempta;on might be to avoid those countries that

apply the strictest privacy laws. But in many cases, this is not advised or prac;cal, because the demand for or

inclina;on to use Enterprise 2.0 tools is so great in these geographies.

Among the S and S/c organiza;ons interviewed (e.g. those that place emphasis on security and therefore evaluate

it carefully and at a very low level of granularity), all spoke for the myriad issues they need to look out for. Privacy

laws in Europe are not universal. Organiza;ons are required to support regional‐level regula;ons. The virtual world

created through modern technology poses many vexing ques;ons. For example:

• If a German na;onal employee of a mul;‐na;onal organiza;on goes to the USA to work on a project, but con;nues to receive salary and benefits from the German office, which regula;ons are the organiza;on and the employee bound by?

• If a German na;onal employee of a mul;‐na;onal organiza;on goes to work for a branch office in the USA, and receives salary and benefits from the USA office, are they under USA regula;ons?

• If a German na;onal employee of a mul;‐na;onal organiza;on working (physically) in the German office is assigned to a project that is officially based in the USA, is the employee’s input to the project (captured online) subject to USA or German regula;ons?

• Informa;on about certain na;onals must physically be stored within their respec;ve country. But how do we prevent downloading their informa;on or including it in reports that are poten;ally stored in other loca;ons?

• If USA‐based employees are granted real‐;me access to European‐based data – is that any different than the data being stored in the USA? Does real‐;me access make physical storage moot?

Among the S‐type organiza;ons that have explored this most aggressively, they concluded that there is no

agreement on how to handle such situa;ons yet. For this reason, such privacy issues are oaen handled on a case‐

by‐case basis. (See the following sec;on on cyclical review for more detail.)

S‐type organiza;ons expose the complexity of the issue, deal with it head on, and as a result some;mes hold back

on full‐scale rollout un;l such complex issues can be resolved. S/c and s/C‐type organiza;ons typically handle the

complex issues under “non‐official” projects and let experience be the teacher. The C‐types just use the technology

and wait for laws to catch up.

In every case, however, interviewees agreed that technology has far outpaced laws. Laws and regula;ons change

slowly. To wait for explicit changes to direct the reach and rules of Enterprise 2.0 content is not always prac;cal and that is why all but the S‐type organiza;ons take some type of approach to leverage the technology before the law

specifically addresses how it can be used.

The good news is legisla;ve language is oaen cleverly vague enough to allow for interpreta;on. It is geared

towards principles and adequate tes;ng as safeguards. So the key is to put in place tests and audits as safeguards

and stop gaps. Interpreta;on of laws changes much more quickly than the wri_en law itself to adjust for changes

in technology. Harkening back to the compe;;ve pressure being felt, one interviewee, who interes;ngly enough

works within a S‐type organiza;on, put it this way:



S‐ “The pressure is on. You have to push the law and risks in spite of being risk averse because we cannot inhibit economic growth. The business model and advantages offered by E2.0 are compelling and so you have to work through the risk issues.

Again, C‐type organiza;ons on the other hand, take a very different approach. They do not a_empt to work

through the risk issues, or make a_empts to reinterpret the law. They simply see the laws as an;quated and

therefore choose to ignore them under the premise that they would not be held up because technology has

rendered them irrelevant.

C ‐ “With several of the experiments and implementa1ons that we did, that was definitely the case [the law was considered irrelevant and an1quated] and legal was not in at all. We acknowledge the fact that our security policy, our informa1on security policy is basically out‐dated. It's based on old informa1on principles not knowledge management principles and so we who use Enterprise 2.0 are saying, ‘Well, we have to speed up and devise a new informa1on security policy.’"

Privacy - S-Type Organizations Take it Very Personal

It is again stressed that while privacy of content in Europe is not a new issue, the issue has become more complex

because Enterprise 2.0 heightens the level of and speed with which personal data is accumulated. Privacy issues as

they relate to Enterprise 2.0 become far more complex because of the focus on personal data. In the S‐type organiza;ons, for example, exis;ng processes and rules were re‐examined. Exis;ng processes and privacy policies

were reexamined to determine if they were s;ll adequate, given the heightened availability of personal data.

Content was examined as to where it comes from, where it is stored, who has access to it, where it can be used,

where it can be sent and from where it could be accessed. Such examina;ons included cases in which personal

data could be “inferred” (e.g., using social profiling to track usage of content by date or loca;on.) The situa;on

became very complex, very quickly.

Local Compliance Should Focus on Work Councils

In mee;ng the criteria at the local level, it is European Work Councils that must be specifically addressed. All

interviewees referred to the Work Councils ;me‐and‐again as the focal point for compliance and alignment. They

are the en;;es that must be sa;sfied that local regula;ons are not being violated.

To appreciate the rela;onship between Enterprise 2.0 prac;;oners and their respec;ve organiza;onal

management, it is important to understand why the European Work Councils were established. According to

Wikipedia, “European Works Councils were created partly as a response to increased transna;onal restructuring

brought about by the Single Europe Act. They give representa;ves of workers from all European countries in big

mul;‐na;onal companies a direct line of communica;on to top management. They also make sure that workers in

different countries are all told the same thing at the same ;me about transna;onal policies and plans. Lastly, they give workers’ representa;ves in unions and na;onal works councils the opportunity to consult with each other and

to develop a common European response to employers’ transna;onal plans, which management must then



http://en.wikipedia.org/wiki/Works_council

http://en.wikipedia.org/wiki/Works_council

consider before those plans are implemented. The EWC Direc;ve is currently being revised by the European

Commission.”

(It is interes;ng to note that the Wikipedia ar;cle ended with the phrase, “revised.” One might conjecture that the

pressures brought on by Enterprise 2.0 technology and the emerging business models this has created are at least

par;ally behind the perceived need to revise Work Councils.)

One interviewee characterized the rela;onship between organiza;ons and the Work Councils a bit bluntly:

S/c ‐ “The Work Councils see themselves as the representa1ve of the employees, the enemy of management. “

Work Councils not only represent a force to be reckoned with, but in some cases, can become a hurdle directly in

opposi;on to local corporate culture. One interviewee suggested that dealing with work councils locally is difficult

because they see privacy one way – but corporate culture – even locally see it another way.

s/C ‐ “ The conversa1on will become a different one [dis1nct from talking with local employees directly] when talking with Work Councils. It’s a very difficult dance back and forth between these sorts of things. This [security and compliance versus a want to know] has to be balanced.”

Thus it is important to recognize that while security that takes the form of intellectual property protec;on, for

example, is separate and dis;nct from privacy regula;ons. In some cases, this means a specific focus on privacy

separate and dis;nct from system security.

s/C ‐ “ For us, data privacy stakeholders are separate cons;tuents from legal and from security. There are

strong work councils ... and these groups don’t report into legal, although they do have legal counsel as their

data privacy czar for representa;on.”

Germany; the Biggest Challenge and the Greatest Opportunity

As stated several ;mes in this report, despite EU‐wide regula;ons and direc;ves, privacy issues in Europe manifest

at a very local level. Local regula;ons, enforced by local Work Councils are the real focus of managing privacy

within an Enterprise 2.0 ini;a;ve. All those interviewed agreed that in dealing with localized compliance, Germany

and Austria pose the toughest privacy regula;ons.

s/C ‐ “Under German law, each physical work site is en1tled to its own, independent work council, that can mean that in a company like ours, the rules are some1mes different between the office in Hamburg and the office in Munich.”

C ‐ “We do not worry about it too much in may countries, except Austria and Germany. The rules are much more strict there.”



As men;oned above, however, regionalism is a double‐edged sword. At ;mes, locali;es with strict privacy

regula;ons are also home to employees that are among the most aggressive early adopters of Enterprise 2.0. More

than once, Germany was iden;fied as the epitome of this conundrum.

s/C ‐ “This is such a complicated issue ... this has to be balanced with an awareness of things like each of the regions, [within] Germany, Spain, Italy, the Middle East, there is a common refrain and has been for years that they feel isolated, cut‐off, under‐informed and under‐connected and not given enough opportuni1es to par1cipate in the global corporate culture which is oken perceived as being dominated by the US and to a lesser extent the United Kingdom. Germans, the French and the Italians want to use this thing [e20 plaiorm] because all of a sudden they feel that they are connected, they are empowered, they are able to take part in the conversa1on in a new way; they're very excited about that. It's not that they don't want to use it. To the contrary. But we cannot ignore things like the local laws on the books.”

Pent‐up demand as a mo;vator is an interes;ng observa;on. Some interviewees shared that despite early

involvement, North American users become fairly docile. Although none of them had done a formal study to

determine why, it was commonly believed that the greater ongoing par;cipa;on among non‐North Americans was

rooted in this pent‐up need. Ironically, the enforcement of local regula;ons to control privacy creates a greater

need for collabora;on. So despite the need for greater control, the payback is poten;ally greater.



TECHNOLOGY VERSUS POLICY/GOVERNANCE ‐ BEST PRACTICES

Based fundamentally on different corporate cultures, organiza;ons take many different approaches to specifically

dealing with European privacy concerns in an Enterprise 2.0 ini;a;ve. That said, in interviewing these companies,

two “standard prac;ces” emerged:

1. Do not rely on technology as a way to manage and enforce privacy. The level of technology required is not

there yet.

2. Every approach to managing privacy needs to start with a well ar;culated policy and governance plan.

Even in cases where technology will be used to some extent to manage or enforce privacy regula;ons, the

corporate policy must be official and obvious.

Focus on Ethics

Much advice was provided concerning the crea;on of policies and governance documents. Although several issues

are connected to the issue of content privacy, the overriding issue of privacy in Europe (regional as it is) comes

down to protec;ng the rights of the individual in order to prevent, what one interviewee labeled “snooping.“

Again, this represents a conundrum, in that profiling techniques used in many Enterprise 2.0 technologies (e.g., social profiling and social network analysis) derive their value from “snooping” or monitoring the ac;vi;es and

connec;ons of individuals. Interviewees recognized that such a level of detail about an individual could be used

for malicious intent. It is keeping this from happening that is oaen a cri;cal decision point and is oaen the focus of

many policy documents. In cases of extreme concern, typically associated with S‐type organiza;ons, provisions are

made to inhibit any such data from being captured. The price of course, is drama;cally lessened emergence, no

proac;ve approaches to social networking, and lowered transparency of communi;es and collabora;on.

The bo_om line expressed by interviewees is that this is much rooted in corporate culture. Is the organiza;on likely

to use such personal data for malicious intent? A basic rule of thumb on how to look at such data is to recognize

that the data belongs to the user, not the organiza;on. Unlike Web 2.0 where “personal data” is marketed as a

product or service of the “owning” underlying plaLorm, Enterprise 2.0 personal data can (and some argue should)

be viewed as a personal asset and thus shared only under the strict control of each individual. (See the discussion

on “opt‐in” for more detail on this issue.)

Incorporate into the Greater Corporate Governance

Trea;ng Enterprise 2.0 personal data as a personal asset is again an extension of the “right” corporate culture.

Interviewees again stressed that Enterprise 2.0 governance should be seen as an extension of the organiza;on’s

exis;ng content management policy. E2.0 governance was either added to, absorbed by inclusion or adapted easily

from content management policy.



s/C ‐ “This new technology does not add any new ways to get yourself into trouble. If that's what you want to do, you will be able to do that with Enterprise 2.0. We won’t stop you or try to prevent you from doing that. But if you're going to behave like a professional, if you're going to behave like you want to keep your job and get promoted, be a good corporate ci1zen and what not, then this is also a good place to do that. So we posted blatant pointers to blog posts on the home page in the early days, pointed people at them and they read, ‘Look, you need to understand. misbehave here, and like misbehaving anywhere else, there will be consequences.’ And we just let it go. And it's been a resounding success.”

Keep it Simple

If the approach presented in the preceding quote appears overly simple, that is not coincidence. Although the level

of control eventually exercised by each organiza;on was very much related to their culture (i.e., S‐types ins;tuted

;ght formal controls; C‐types provided only suggested work habits), each and every interviewee stressed that

governance documents and policies should be kept as simple and straighLorward as possible.

Because Enterprise 2.0 is viewed as an emerging technology, it is considered a best prac;ce to keep governance

and policy language to the highest level and as open to interpreta;on as possible and prac;cal. (Note: this

approach is very similar to the way current EU regula;ons regarding privacy are wri_en, as introduced in the Key

Challenge and Focal Points sec;on of this report.) For example, look at the approaches taken by some of the

interviewees’ organiza;ons:

s/C ‐ “We very consciously decided to adopt a ‘formal’ policy framework that's very informal... There are only 3 rules: 1) be nice, be respeciul, be a good corporate ci1zen; 2) if you break rule #1 expect to get guidance on how not to do so in the future; 3) pro‐ac1vely help other people not to break rule #1. That's it! That's all there is. There are no rules, for example, about what content is allowed or not allowed. There are no rules on when you're supposed to use it, what you're supposed to use it for, none of that. We were very, very conscious and explicit about leaving that completely wide open. We did do, however, a number of things to try and shape the way things would develop.”

C ‐ “What we devised was social compu1ng guidelines. We said to employees, ‘It's okay to use this kind of tool,’ and gave them some guidelines, not too many, on how to use them within the organiza1on and outside the organiza1on. We went through legal. The employees who were reluctant responded really well to this. They said, ‘Okay, now we have some kind of framework, some kind of guideline to be able to ac1vely par1cipate in these more open, transparent tools, social tools.’ One of the interes1ng things we encountered was that legal, basically a group of people who just say no to everything that's new, in this case just didn't understand. They didn't say yes or no.”

C ‐ “We just told our employees to be ethical and let users police it. “

In keeping with the idea to keep Enterprise 2.0 corporate governance as simple as possible, and echoing earlier

sen;ment, that Enterprise 2.0 does not introduce new risk to the organiza;on (just more of it), all those



interviewed stressed that Enterprise 2.0 governance most definitely be incorporated into exis;ng governance

models and documents. Pre‐exis;ng policies developed for intranet use, COPs and knowledge management

ini;a;ves were clearly leveraged. So while the Enterprise 2.0 technologies may be widening the reach and issues,

there was certainly precedent to rely on and build from.

s/C ‐ “E2.0 may be a new thing but we need to incorporate it into and add it to our exis1ng policy framework of which there is already a very large, robust and boring one.”

Organiza;ons that are tradi;onally security/privacy focused (S‐types) indeed saw that experience paved the way,

but also indicated that it is not always a perfect fit, and although they started with exis;ng policy language, they

had to make significant amendments in order to adapt the policy to the demands of Enterprise 2.0.

S ‐ “This was not new for us. So, we had a process in place for introducing systems and ensuring they obeyed laws and regula1ons. So we applied it to the E2.0 ini1a1ve. But we found that tradi1onally business applica1ons had liOle use of ‘personal’ informa1on. The issue of personal content and privacy was at the heart of this [E2.0] project so it raised the bar on what we had to look at. The privacy policy that we had in the ‘60s, and those from the 1995 European Privacy law had to be reexamined. Here we used our Chief Privacy Officer, in conjunc1on with 6 regional managers and a pan‐European process manager. There is constant communica1on between local managers and the project team.”

It is worth men;oning that despite this heightened and more complex approach to privacy this organiza;on is at a

level of Enterprise 2.0 deployment comparable to the others interviewed.

Technology in Use

It should not be misinterpreted that the lack of focus on technology itself in the governance document is an

indica;on of a trepida;ous usage of technology. In each case, the interviewed organiza;ons have adopted a menu

of Enterprise 2.0 technologies including wikis, blogs, microblogs and video libraries (e.g., YouTube for the enterprise).

However, among the more risk averse organiza;ons, tagging, social networking and vo;ng are typically avoided.

Some will not permit bookmarking as well. These technologies are considered the more difficult to deploy from a

privacy perspec;ve, because of the level of personal informa;on they collect.

S ‐ “There's no bookmarking. We do not have content vo1ng or ra1ng, track the most viewed, most commented on content. Our Human Resources department actually nixed that. Not only did we think this was too much personal data, but even viewed in aggregate it could create ill feelings in the organiza1on. We could not publicly claim that certain content is more popular than others. It's challenging because it's a key piece of meta‐data for content relevancy.”

S/c ‐ “We very diligently manage what we can and cannot show about employees. We're running up a concept right now around organiza1onal network analysis and what it would mean to put



that into play. This is some very powerful technology. If anything is going to generate interes6ng robust discussion around issues par6cular to the European Union, it's going to be this. [emphasis added.] Literally you're going in and you're capturing insight into what people are doing, their connec1ons, the things they're talking about. You are able to show it in a mappable network, show weak connec1ons, strong 1es, where an organiza1on's parts should be 1ed together and where they aren't. There are things in there that we already know there's no way we'll be able to show. So that's one extreme aspect of what we're working on.”

The Irony of Technology

While Enterprise 2.0 technology pushes the envelop concerning collabora;on, it is viewed as lagging concerning

dynamic approaches to privacy and security. The focus of most Enterprise 2.0 products is exclusively on bridging

;me and distance to create open, virtual collabora;on. This is the technology that is blurring na;onal boundaries,

as introduced earlier in this report. But where are the state‐of‐the‐art security and control mechanisms? For the

most part, interviewees felt that they are simply not there.

Some interviewees felt that technology vendors are too heavily focused on open access and do not adequately

address privacy and security.

S ‐“Technology is way behind, it is in catch‐up mode [concerning security needs]. We work very closely with the sokware vendors on deployment. When security requirements come up they are not ready.”

C ‐ “Nonetheless, we take security seriously. For example, we do no hosted applica1ons. Technology has a long way to go before it can adequately handle access rights.”

It is worth no;ng that the last quote was from a C‐type organiza;on. Even in corporate cultures that do not stress

privacy over collabora;on, the lack of commercially available “standard” technology approaches to manage privacy

is s;ll obvious.

Nearly all of the interviewees agreed that one reason for this is the fact that most Enterprise 2.0 technology is

developed in North America where privacy constraints are not a primary concern. Recall how this ria also occurs on

project teams that involve North Americans and Europeans. This is a strong regional cultural ria at the vendor and user level. The soaware developers do not appreciate the level of func;onality required to adequately manage

privacy on a global level. One interviewee provided a simple example:

S/c ‐ “On one hand, they [sokware provider] give us the ability to let users opt‐in. But this [tracking opt‐in responses by loca1on] is a shoriall in analy1cs that we have from our vendors. These products do a really bad job of showcasing where, geographically, folks are op1ng into the system.“

Another reason for the lack of technology keeping up with privacy demands is believed to be the primary focus on

social compu;ng at the public level (i.e., Web 2.0). One interviewee put it best:



S/c ‐ “Using technology to control access and privacy is something that we beat up vendors on all the 1me. Right now there is actually a task force to address the ques1on of monitoring tools not just for social compu1ng but for any collabora1ve tool that there's a risk associated with. We have not yet found the right solu1on. We con1nue to be concerned with the lack of security focus from the vendors. We see some improvement there, but definitely for the last couple of years, it's been a very consummerised mind‐set, that what's good for external consumer space, why shouldn't it be good, the same for the enterprise? I think a lot of the vendors have not come from the enterprise. They do not understand the complexi1es, the regula1ons, the policies, all these things that don't come into play when you're doing external marke1ng efforts. Subsequently, they haven't gathered any of those requirements, don't understand it and then don't bake it into their products. Now we're star1ng to see some early adopters that have shown us roadmap commitments to address it more. But it's not where it needs to be in any way, shape or form.”

The Practicality and Effectiveness of Technology Customization

No ma_er the reason behind the gap between privacy requirements and technology, oaen deployments will take a

customized approach to managing privacy. Examples of customiza;on used were provided by interviewees. At

;mes, the level of customiza;on necessary can make an Enterprise 2.0 project cost prohibi;ve, delay

implementa;on and nearly always involve a fair amount of work. Mee;ng European privacy demands is more oaen

not a ma_er of a simple tweak.

s/C ‐ “We have always found that we need to customize any solu1on in order to meet security requirements. The level of control required is not obtained just from out of the box technology. The cost involved in doing so varies, but can become most substan1al.”

C ‐ “In order to adequately protect real‐1me audio and video it was going to cost us approximately $60 million Euros. The cost of security just for a pilot of 2,000 across Europe killed the project.”

S/c ‐ “When this occurs [a gap between privacy requirements and technology offerings] we either have to wait for the vendor to catch‐up or invest in customiza1ons.”

S/c ‐ “We had to do a lot of work modifying the user profile templates in our plaiorm product in order to reach a version of the user profile template that achieved a consensus with the global stakeholders. There was concern from Europe, primarily, about the fields in the profile, which things people were being asked to provide informa1on about and whether or not that was compliant with certain local regula1ons and laws.“

One Simple Approach to Customization - Branding

Another hurdle to overcome rooted in European privacy concerns is an awareness of content’s physical loca;on.

As introduced earlier in this report, some countries within the EU (e.g., France), require that personal data be

physically stored locally. As was discussed earlier, some organiza;ons have chosen to ignore ac;vely aggressive

compliance with this criteria as they believe wireless, the Internet and Enterprise 2.0 technology have rendered this issue moot. But in cases where local storage is addressed, some organiza;ons have found that rela;vely simple

customiza;on via the branding of par;cular websites and pages through the interface can be used as a stop gap

solu;on.



S/c ‐ “We also did some things with branding to start showing visual clues as to where the applica1on and data was hosted. This has been somewhat effec1ve. Users are made aware of where the site is taking them.”

Opt-in - A Solution but not a Panacea

One rela;vely simple way to customize implementa;ons, in order to manage privacy concerns, is to allow users to

opt‐in to systems, and in some cases par;cular features or meta data (i.e., personal profile fields].

s/C ‐ “Use of our social networking plaiorm is not mandatory for anyone and, if you choose to use it, then you are op1ng in and thereby you are agreeing to this.”

s/C ‐ “They [co‐workers] must opt‐in to a defined list of how they can par1cipate, and significantly how their informa1on can be used by themselves, the organiza1on and other members. This is par1cularly true of metrics reports.”

But opt‐in is not a panacea. All interviewees men;oned one or more reasons why opt‐in cannot always be used,

and iden;fied shortcomings in the current technology approaches to opt‐in.

For example, opt‐in was permi_ed in one organiza;on only because the underlying plaLorm (i.e., the Enterprise

2.0 collabora;on plaLorm) was not considered a “business cri;cal” applica;on. If it had been, then opt‐in would

not have been allowed. Employees are not allowed to not par;cipate in cri;cal business func;ons. Thus the more

Enterprise 2.0 is integrated into and/or evolves into business cri;cal applica;ons, the less opt‐in is viewed as a

viable way to handle privacy.

S ‐ “... a more informal approach to opt‐in was used. The approved [Enterprise 2.0] tools were made available on the internal site. Use of these tools is strictly voluntary. This approach was acceptable only because, unlike HR applica1ons and business process applica1ons, E2.0 technology is not seen as mandatory. You do not have to do it to perform your job.”

While perhaps Enterprise 2.0 applica;ons are not viewed as business cri;cal, in some situa;ons they are

considered “important enough” to not allow employees to opt‐out. The issue of Enterprise 2.0 losing some or

much of its value if par;cipa;on is op;onal oaen came up in the interviews. Some spoke of opt‐in poten;ally

pufng employees under too great a pressure. They may have the right not to par;cipate, but non‐par;cipa;on could put employees at a serious disadvantage ‐ make them internally less compe;;ve, and thus op;ng‐out is not

really an alterna;ve. More user‐sensi;ve organiza;ons therefore tend to shy away from opt‐in as an immediate fix

to privacy, or use opt‐in only at group levels to circumvent individual aliena;on and exclusion.

C ‐ “We considered limi1ng profiles, or making them subject to security, although this is not good because this would mean that the plaiorm to share knowledge would be virtually useless. We need those profiles to be as extensive and as open as possible, so that our community members can find one another. If people don't share their profile, then this pilot would just basically fail. We were preOy sure of that. So we had to go in there and, it was basically solved preOy easily. Basically we asked the whole group if they would allow us to show those profiles and their pictures, at once. [Op1ng in was done at a group level – no individual permission was sought]. ... and that solved our problem at that point in 1me.”



S/c ‐ “We have a unified privacy policy for the en1re organiza1on that gets applied everywhere that we do business. We're very conserva1ve. We usually go for the extreme case and apply it universally. I think that's one of the reasons that you see us struggling on opt‐in. We took that into account in order to play in Europe. But people in North America are frustrated with the policy. [Again, note the cultural rik between Europe and North America.] Some people just expect that by agreeing to be a member of a community your profile will automa1cally be maintained, and that they will automa1cally receive alerts on any ac1vity that goes on. But that is not the case. Our approach was all opt‐in and therefore the profiles were somewhat manual. That's frustra1ng when somebody's trying to build a community, that you have to wrangle folks to get them to where you need them to be in order to really have a robust community experience.”

The more security risk averse organiza;ons also iden;fied legal issues that can prohibit use of opt‐in or seriously

impact how it can be used.

s/C ‐ “You can't simply give up a right, of course, so there are certain limita1ons to what this [opt‐in] can affect, but it does manage to dodge a whole host of bullets. The Works Councils are fine with that [opt‐in] and they're happy because their cons1tuencies get to do the things that they want to do and if they don't want to then they don't have to. But they make sure that basic rights are not waived. So we cannot use it for everything.“

s/C ‐ “Just because individuals opt‐in to a social network does not mean that resharing a list of connec1ons without prior consent from each of the connec1ons is allowed. It must state in the terms and condi1ons of the system that as a par1cipant you will allow others to reshare connec1ons unless the par1cipant disallows this through the sokware.”

S/c ‐ “It does not maOer if an individual opts‐in. The organiza1ons must s1ll be vigilant to the fact that certain basic rights cannot be foregone in this way.”

S ‐ “Opt‐in didn’t work. It is okay in the US, Ireland and even the UK. But they [Work Councils] wanted a universal equal playing field. And in other countries, even op1ng in or out could be telling the employer too much, so it was not considered a legi1mate ques1on to ask.”

Opt-in May Not Overcome Regional Cultural Resistance

Virtually all of those interviewed also men;oned cultural differences to collabora;ng “in public,” not only in

Europe, but across Asia and the Middle East as well. Although opt‐in can be used to provide voluntary par;cipa;on,

they found that is not always enough to effec;vely establish ac;ve online communi;es. In order to get the level of

par;cipa;on desired, Enterprise 2.0 teams may have to communicate directly with and manage individuals

specifically at a local level in order to provide a local apprecia;on for why par;cipa;on should not be avoided.

S/c ‐ “Opt‐in has worked for us. Although I do not have hard numbers to share, [recall in the preceding discussion on the shortcoming of technology, it was observed that Enterprise 2.0 systems typically do not provide tracking of opt‐in via standard reports] the sense that I get is that folks in the European Union are par1cipa1ng. I am not hearing from anyone in Europe that there is a resistance to par1cipa1ng, based upon any privacy concerns. What we're seeing across the globe are more cultural challenges rather than privacy concerns. Some regional cultures are resistant to leveraging the 2.0 technologies. It's almost they feel it's too out there, too open. Some cultures are



very vocal. They don't mind construc1ve confronta1on in any way, shape or form in person. It's a very different story when they have to put it into an online community. It's kind of fascina1ng. We find we have more change management issues than we originally believed.”

Sometimes Technology is Underutilized

While overall the feeling amongst the Enterprise 2.0 prac;;oners is that technical approaches to managing access

and privacy are not keeping pace with collabora;on func;onality, it was interes;ng to learn that where technology

is available to assist in control, it is not used at ;mes. Although, as previously indicated, automated repor;ng is not

always available (e.g., in the cited cases of opt‐in not tracking by region), monitoring in a manual way seems to be

the approach preferred for the ;me being, despite the availability of some automated audi;ng and tracking

reports.

s/C ‐ “We are monitoring usage, doing a liOle bit of manual work, hopefully trying to automate it. We're relying upon some of the analy1cs tools that come with the applica1ons to do key‐word searches and trying to flag some of those things that you're typically looking for that usually spell problems. It's not to the automated point that we want it to be so it's kind of a Band‐Aid approach.”

S/c ‐ “Technology in the form of repor1ng has not yet been used as a way to work with the Work Councils. To the extent that there's somebody ac1vely pulling data from some database somewhere and providing them [the Work Councils] with those reports, no. That may s1ll happen, however. I believe that one of the complaints currently grinding its way through the system has some aspect of doubt in these reports. So that may s1ll emerge as being a requirement, but it hasn't happened yet. It wouldn't surprised me if it did though.”

S/c ‐ “We are not using technology to monitor behavior from a control and filter standpoint. But nevertheless it's not being lek just to corporate good behavior. The answer is nuanced by this regional sort of issue, set of issues. In the US that data is being extracted and examined. I don't think it's being done yet off of our Enterprise 2.0 plaiorm in any comprehensive or consistent or repe11ve way just because I don't think anybody has bothered to pay much aOen1on to it yet. The email are rou1nely run through those kind of sokware products in the US, but not in most other regions because the laws in most other regions prohibit the use of that kind of sokware. So, again, that depends on what region you happen to be in.

S/c ‐ “We're going to train administrators in the Enterprise 2.0 framework so that they understand their responsibili1es in making sure that they keep their spaces compliant. We're incorpora1ng some of this into our mandatory training for all employees, for our Code of Conduct. And we also have a group of ambassadors for the internal community that they're there to really provide stewardship, but they're also there to watch the system and if they see something, they can report it. They can kind of ‘watch‐dog’ it. They're going to be doing a lot of training and then, of course, we're con1nually seeing folk who are using the community to reinforce the behaviors. So if someone starts geyng out of line, the community helps to right it and if it's really out of line and against our policies then HR can come in and deal with it on a performance management basis. It comes into an employee's performance and their conduct. And then you sit down and say that



these are things that we expect of you. Let's put a plan together to do some improvement in these areas.”

C ‐ “I know that people can have a hard 1me with these security issues. One of the things that I'm doing is that I'm ac1vely monitoring what's happening. I know that they're using it in the right way. I'll kindly warn them if they're geyng into too much detail, just for now, because we don't have all the security features that the IT department basically requires.”

In some cases, automated approaches to privacy management and security are avoided because they, themselves,

present poten;al privacy risks, and/or for internal poli;cal reasons.

s/C ‐“If you intend to create a specific type of report, for example tracking the number of par1cipants per country, it must be stated and anyone affected must give permission for this. If you change the report, every par1cipant, not just Europeans, must opt‐in again, each 1me a change is made.”

S ‐ “Any metrics cannot have results that can be used to iden1fy and target specific individuals, without their explicit permission to do so.”

C ‐ “I have chosen not to use the technology‐based security, including repor1ng. The reason I do that is just because if, for instance, if IT security comes to me and says, ‘What you're doing is wrong. It is way too open and you have to kill it.’ Then I want to be able to say to them, ‘I'm monitoring it and up un1l now everything is going fine. If you can find something that is wrong please go ahead and tell me and we can work it out.’ I want to be able to say to them, ‘This is an experiment and I'm checking that this experiment is not going against our policies or whatever. And I'm responsible for it.’ Up un1l now people are happy and not complaining.

While not all organiza;ons are using the automated audi;ng reports, to the degree they are provided in the

Enterprise 2.0 products, in cases where they have been used, the experience has been posi;ve. Nowhere are

reports used to the exclusion of human vigilance, but they have been used as a powerful adjunct and complement

to human vigilance.

s/C ‐ “Having our solu1on provide abuse reports was a huge win. These tools make it easier for employees to create anything. We can see if an employee posts something inappropriate.”

Data Privacy Requires a Cyclical Approach, Separate and Distinct From Legal Compliance and Security

As discussed earlier in this report, data privacy is an issue that is separate and dis;nct from system security,

firewall‐based security and legal compliance. Several interviewees stressed that it is therefore very important to address it separately and dis;nctly. They felt that it is oaen easy to fall into the trap of thinking that security, legal

compliance and privacy can all be handled in the same way, with the same team, and that is not the case.



Interviewees stressed that unlike legal issues and security issues that can be handled with a “make a decision and

move forward approach,” privacy issues, especially as they relate to the evolving business models created by

Enterprise 2.0, need to be handled individually and in a cyclical manner.

Among those organiza;ons that address privacy issues with a moderate to high degree of zeal, authori;es such as

the Na;onal Data Protec;on Commissioner and the regional Work Councils, are a frequent focal point. As has

been highlighted throughout this report there are many gray areas within the realm of data privacy. Even when so‐

called authori;es, such as the Work Councils are involved, experience has shown that neither the principles of the

conven;on, nor na;onal regula;ons on data protec;on can regulate every situa;on in which personal data are

collected. Differences will emerge for many reasons including regionality, interpreta;on, and simultaneously

evolving trends in ver;cal industries. The degree of scru;ny and risk associated with medical, social security,

financial and ma_ers of police can be poten;ally different than those associated with telecommunica;ons and

direct marke;ng for example. Personal data associated with each ver;cal sector and applica;on must be collected

and processed according to the basic principles of the EU Conven;on, but the ways and means used can be

different. Certain industries and loca;ons may be more flexible than others.

Interviewees, across all corporate cultures, spoke of privacy being handled, to the degree it is, by a team of

individuals in a cyclical manner. Though most concurred that privacy should be handled early on if not immediately

in a Enterprise 2.0 project, they all agreed that it must be revisited and reviewed, based on evolving trends globally and within the organiza;on.

S/c “… unlike legal where you get the contract signed and done, or security where you permit access or not, data privacy and data protec1on is an ongoing process. We did have several folks on different occasions look at this, on several projects.”

s/C ‐ “There is a small team. It's about three people I believe, who are responsible for the management of the Enterprise 2.0 ini1a1ve, who are responsible for that stuff [data privacy] at the corporate level. They are the subject maOer experts for this sort of thing. They repeatedly get involved in kind of an emergent, ad‐hoc fashion, along with other members from other special1es like the legal department, like the corporate data protec1on group, and so forth and so on. To answer specific ques1ons, they form together in a small team for a short period of 1me, answer a specific thing, produce a specific thing, whatever, then go their separate ways, and that just happens in an itera1ve fashion over and over and over again.”

s/C ‐ “For one thing, the person who manages this [the Enterprise 2.0 ini1a1ve], was very clever about including in that early team people from legal, people from corporate and people from human resources. So those folk were on board from the very beginning. Throughout the process, we made them stakeholders so they had some skin in the game and wanted it to succeed for their own reasons. That made them eager to find ways to help us solve problems.”

S/c ‐ “We actually have formed a management review commiOee that's a governance management review commiOee, and so everything that I do with Enterprise 2.0 comes before this commiOee for review from a legal, security risk and privacy standpoint. So that is it, it's a 1me consuming process but I think it is necessary, absolutely necessary in order to make sure that we don't introduce any new risks into the environment, that we mi1gate the risks that are known and that we also provide a comfort level for senior levels that we can drive business values with these



tools and have the risk well managed. Because the security risks are always one of the first things that they come back with, par1cularly with exposure of intellectual property.”

And What of Pilots?

A popular approach to rolling out any technology is the use of pilots. Many interviewees spoke of pilo;ng as a way

to not only experiment and/or introduce Enterprise 2.0 capabili;es into the organiza;on, but also as a way to

become be_er acclimated to poten;al data privacy risk. Indeed, as discussed earlier in this report, among some

organiza;ons so‐called “unofficial” Enterprise 2.0 projects are undertaken for this very reason.

Whether such efforts take the form of a rogue groundswell use that blossoms into an enterprise plaLorm, or an

official top‐down sanc;oned test – all agreed that “pilo;ng” is a viable and valuable approach to gefng started

with Enterprise 2.0. All agreed that the experience provided through a pilot will teach much not only about, but

certainly including privacy risks. Pilots are a good way to see where issues may arise, if risk exists and how to deal

with it at a smaller scale. They can also be a good way to handle security, especially if local users are involved in the

effort and can push for compliance as part of the pilo;ng effort.

s/C ‐ “An ini1a1ve like this [a pilot] is happening and you have some sub‐set of each of the regional popula1ons on board. These are people who want to collaborate so they jump on the project and start using it. The project team must follow along behind them and mop up the messy details like, ‘Are we even allowed to do this in this par1cular culture?,’ and that's the point at which people like the German Works Councils get involved. … So the Works Councils immediately find themselves in a somewhat contradictory kind of role where, on the one hand, they're trying to figure out whether or not this is okay, whether management is going to use this in some new totalitarian fashion to abuse their workers or not. And at the same 1me they're being pressured by their cons1tuencies already using it and saying, ’Hey, This is great! Find a way to allow me to con1nue to use this.’ The Works Councils get involved in these early conversa1ons driven by these two different impera1ves and inevitably some compromise emerges out of that where exis1ng regula1ons about things like data protec1on and whatever gets acknowledged in some way, and you find some way to work around them. So, for example, in our company a lot of the issues that you would otherwise have with German data protec1on laws, have been mi1gated by our pilo1ng procedures. But what does happen, then, is that periodically Works Councils members will kind of s1ck their hands up when they see something happening somewhere that they think is not in accordance with their par1cular regional laws or regula1ons and they complain and there's a formal process that they can use to do that.”

s/C ‐ “[In discussing the use of a pilot and why the project owner needs to be ac1vely involved as well] ...but also look to where you see things, things that just come up in the course of the usage on an ongoing basis. For example, I found out that it is possible on our plaiorm product, when you go into the screen that shows you the lists of users, you get a list of profiles of people who are registered in the system, apparently... and I didn't even know this was possible.”

S/c ‐ “So we were able to proceed with the pilot and start experimen1ng with things in a prototyping kind of a manner before we had sorted out all of the policy ques1ons. In other words



we were able to experiment with alterna1ves to various answers to specific policy ques1ons and that proved to be a very efficient and produc1ve, fruiiul way to go about the problem.”

It must be appreciated that the type of pilot described in the preceding quote is par;cularly useful if the

organiza;on can get away with unofficial technology use such as this. These are the unofficial projects and

skunkworks typically associated with and condoned by C, s/C and to a lesser degree S/c organiza;ons. This

approach to pilots would not be condoned in a S‐type organiza;on.

Words of Caution Concerning Pilots

While interviewees concurred that pilots are a valuable way to begin an Enterprise 2.0 ini;a;ve, some had

reserva;ons about them. Many stressed that if pilots are used, it is very important to give users an easy and

obvious feedback loop. Others offered other caveats on using a pilot. For example some felt that Enterprise 2.0

had to be deployed on a wide‐scale from the outset, otherwise its value would not be understood.

s/C ‐ "No, we don't necessarily think that pilots are a good idea if they are done in a typical pilot fashion, namely, you pick a small department or a small team and you try this stuff out. We think that the benefit from Enterprise 2.0 comes from the economies of scale, the large scale network. You need to get it to as many people as you want. So our pilot approach…was peculiar in some people's eyes … It was a pilot that went to everyone. A consequence of that was because it was a pilot we were also able to get started before we had sorted out all of the formal problems. And we got official, formal allowance to do that.”

But even in cases where pilo;ng takes the form of wide‐scale experimenta;on in an unofficial capacity,

interviewees warned that privacy cannot be ignored. Eventually it will have to be dealt with, and the project

manager needs to be ready for that.

s/C – “For us, Enterprise 2.0 was a grassroots effort. We allowed these [unofficial wide‐scale pilots] so that innova1on could occur and it went on for almost three years. At that point I came in with a strategy to globalize this and standardize it. Suddenly all the privacy, security, and legal pundits were coming out of the woodwork wan1ng to have a look and have some input.”

C ‐ “Because our company values boOom‐up ini1a1ves it [compliance and legal] is not that big of a problem. What is a problem, of course, then, is that the adop1on slows up significantly if and when these boOom‐up ini1a1ves are picked up so that it would grow. Usage would grow much more quickly than it does now. I'm sa1sfied with the growth, for instance, of our micro‐blogging plaiorm but it could go much, much more quickly if the steering commiOee would say, ‘Hey this is interes1ng. This is innova1on. Let's cul1vate this and give some money or some resources to really work on what's happening there.’ But then legal will say ‘No’, and then the organiza1on will say, ‘Well we want it anyway,’ and then they'll say, ‘Well make sure you do this and this and this.’ And then ... yeah, you find yourself back to business.”



Interes;ngly enough, the S and S/c‐type organiza;ons interviewed warned against this outcome of pilots as well,

and perhaps because of their culture, argued that privacy needs to be addressed right up front as part of the pilot,

whereas the C and s/C types encourage rogue unofficial use and deal with the compliance issues later. This appears

to be a basic philosophical difference.



LESSONS LEARNED AND RECOMMENDATIONS

This report concludes with targeted advice from these pioneers of successful Enterprise 2.0 ini;a;ves across

Europe. Each interviewee was asked “What advice would you give to an organiza;on that was embarking on an

Enterprise 2.0 project now that involved par;cipants in the EU?” Their answers follow.

It is interes;ng to note that some began their response with a “this is what worked for us” comment/approach,

while others began from a “if we had to do it over” perspec;ve. No;ce they all men;on governance, but not

always as the first step. No;ce the similari;es amongst shared corporate cultures (e.g. both S‐type organiza;ons

stress gefng the soaware vendors involved early.) No;ce the difference in the level of detail, a symptom also

apparently associated with corporate culture.

Advice From an S-Type Organization

1. “When buying sokware be sure to know the terms of use and where the sokware collects personal data.”2. “Make par1cipa1on op1onal.”3. “Track where and why users are choosing not to par1cipate and react by trying to accommodate their needs and concerns.”4. ”Do not own the content. Look at it as a holding place for personal data. You are a trustee and therefore morally should only use it for limited reasons and let the individual owners get value out of it.”5. “Be sure to provide documented social compu1ng guidelines – a policy that is official, that sets a good moral compass, and be sure to have all par1cipants sign it yearly.”

Advice From an S-Type Organization

1. “Be proac1ve. Bring all par1es to the table from the outset. This includes not only the E2.0 team, but also HR, security/risk personnel and the vendors of sokware.”

2. Deal with issues of security and privacy early on and deal with them directly. Use a pilot to iden1fy them and push 1ll you get through it.

3. Begin in areas where confiden1al data is not a major issue to being with. Stay within the firewall and applica1ons where the associated content – if it was leaked – would not be damaging. This gives you ability to learn.”

Advice From an s/C-Type Organization

1. “Consciously reach out to and involve key stakeholders from every major region and/or country from the get go.”2. “Address privacy issues in a pro‐ac1ve way from the beginning.”3. “Realize it's [strategy and specifically dealing with the balance between access and compliance] an on‐going process; it never stops. It's not a one‐1me thing.”



Advice From an S/c-Type Organization

1. “Before all else, put governance ahead of everything. It is a key part of your effort. Make sure that you do a risk assessment right away. If your business resides in Europe make sure that you've got legal consulta1on on any privacy concerns that would affect Europe. Shape your solu1on via the governance you have in place otherwise you put your efforts more at risk. Be sure to have policies on how you're going to handle situa1ons in place first. It's almost like an insurance policy, don't wait un1l you get into a car accident to get insurance, Buy the insurance policy up front, before you start driving your car.”

Advice From a C-Type Organization

1. “Begin by selling the value of the project. Demonstrate how the knowledge management exchange is happening to get people on board.”2. “Don’t let security stand in your way. Remember security concerns are solvable.”

Advice From a C-Type Organization

1. “Go for it. There is too much to lose by not doing it. Don’t analyze the situa1on too much. Show how that E2.0 can work and demonstrate the value to the organiza1on. Do not over strategize.”



About The 2.0 Adop6on Council and Informa6on

Architected

THE 2.0 ADOPTION COUNCIL

The 2.0 Adop;on Council is a peer‐based, informa;on‐sharing group focused on the latest thinking, best prac;ces,

case studies, and helpful ;ps associated with execu;ng socio‐collabora;ve strategies and projects in the large

enterprise.

The Council offers members a unique advantage: direct access to a network of peers where learning can occur

directly in real‐;me. It is the first organiza;on of its kind‐‐ built from the ground up leveraging the flexibility and

universal access offered by the new genera;on of Web 2.0 plaLorms. The members of the Council are themselves

leading‐edge users and evangelists of Enterprise 2.0 technology within their organiza;ons.

The 2.0 Adop'on Council publishes reports for three intended audiences:

1. Corporate Prac''oners. These are individuals and teams whose organiza;onal role and responsibility is

to execute an Enterprise 2.0 vision. This oaen;mes involves planning, tool and plaLorm selec;on,

training, and a comprehensive roll‐out that will impact the work and behaviors for thousands of

employees. These prac;;oners may emanate from different lines of business within an organiza;on, but

they typically have a leadership role. The 2.0 Adop;on Council is composed solely of corporate

prac;;oners. Effec;vely, we are primarily addressing our peers with this report and seek to help them

by sharing the prac;ces that have helped us succeed.

2. Strategic Consultants. There is a growing ecosystem of advisors, analysts, consultants, system

integrators, and other such intermediaries who help organiza;ons. These third‐party individuals and

groups offer services to help select technologies and iden;fy process changes. We address these

marketplace players and seek to share with them some of the ways we have dealt with specific issues

we’ve iden;fied from the inside.

3. Product Vendors. There is a large collec;on of vendors who offer Enterprise 2.0 products and solu;ons.

Some also offer strategic consul;ng and implementa;on services. We seek to share with them our

journey. We believe this report will help them refine their products and approach to take into account

some of the challenges we have highlighted and addressed in our framework.



We are open to comments on this report and welcome your feedback. To share your thoughts privately, please

email ReportFeedback@20Adop;onCouncil.com.

Susan Scrupski, Founder

The 2.0 Adop;on CouncilVisit us at: www.20adop;oncouncil.com and www.20adop;oncommunity.com

INFORMATION ARCHITECTED AND CARL FRAPPAOLO

Informa;on Architected (IAI) is a consultancy, based in Boston, MA, focused on the intelligent use of content,

knowledge and processes to drive innova;on and thrive in a digital world. Its founders, Carl Frappaolo and Dan

Keldsen together have over 45 years of experience in informa;on and knowledge management. They offer three

basic lines of service: consul;ng, training workshops and market research.

IAI is the market research partner for The 2.0 Adop;on Council.

h_p://www.informa;onarchitected.com

Carl Frappaolo

Carl Frappaolo is globally recognized as a thought leader, entrepreneur, keynote speaker, strategy advisor, and

prolific author. He has founded 3 companies, had four books published and and has consulted with the who’s who

of the corporate and public sector on innova;on, informa;on, process and knowledge management. He is

currently co‐founder of Informa;on Architected.

His professional blog can be found at TakingAIIM.com and you can join his networks at LinkedIn and Facebook, or

follow him on Twi_er @carlfrappaolo.



mailto:[email protected]

mailto:[email protected]

http://www.20adoptioncouncil.com

http://www.20adoptioncouncil.com

http://www.20adoptioncommunity.com

http://www.20adoptioncommunity.com

http://www.informationarchitected.com

http://www.informationarchitected.com

http://www.takingaiim.com/

http://www.takingaiim.com/

http://www.linkedin.com/in/CarlFrappaolo

http://www.linkedin.com/in/CarlFrappaolo

http://www.facebook.com/people/Carl-Frappaolo/624241196

http://www.facebook.com/people/Carl-Frappaolo/624241196

http://twitter.com/carlfrappaolo

http://twitter.com/carlfrappaolo

implementing enterprise 2.0 within the eu

Documents

primary focus

strict focus

adoption council austin

pressure mandates adoption

floor boston

european union transparency

post office square

increased reach