using social business software and being compliant with eu data protection law - presented by olaf...
TRANSCRIPT
Using Social Business So/ware and being compliant with EU
data protec9on law
Olaf Boerner, BCC 14.11.2014
Agenda: Using Social Business So/ware and being compliant with EU data protec9on law
1. Short Introduc9on to EU Data Protec9on Law 2. Implica9ons for using social business
so/ware 3. Data protec9on and Cloud based social
systems
About me • Studied Business Administra9on and Computer Science
• Notes Administrator / Developer since 1994 • CEO and Founder of BCC in 1996 • Working as project manager senior architect with large enterprise customers – Securing IBM Social Business infrastructures – reducing Total cost of Ownership of IBM Social Business Infrastructures thru automa9ng Administra9on
• IBM Champion in 2014 • TwiVer: @OlafBoerner
Short Disclaimer J
I am not a lawyer ! This presenta9on does not provide
any legal advices
Introduc9on EU Data Protec9on Law
• Data Protec9on within the EU is not op9onal – It’s not an advice or best prac9ce – It’s not a silly german idea – it´s the law ! – In all EU Member States and Non-‐EU Member States that are part of the European Economic Area
Consequences of privacy breaches
• Consequences depend on the law of the member state
• Examples – Germany: § 43 German Federal Protec9on Act up to 300.000 EURO
– UK: ICO up to £ 500.000 • Reputa9onal damage as a result of press reports etc
• Many contracts allow customers and/or supplier to quit contracts
Sony fined £250,000 a/er millions of UK gamers’ personal informa9on
compromised • PlaySta9on Network Plaeorm was hacked in April 2011
• An ICO inves9ga9on found that the aVack could have been prevented if the so/ware had been up-‐to-‐date, while technical developments also meant passwords were not secure.
hVp://ico.org.uk/news/latest_news/2013/ico-‐news-‐release-‐2013
ICO fines Bank of Scotland
• “ICO fines Bank of Scotland for “unforgivable” breach of Data Protec9on Act in August 2013, following repeated instances of customer details being sent to the wrong recipients.”
• h"p://www.compu,ng.co.uk/ctg/news/2287087/ico-‐fines-‐bank-‐of-‐scotland-‐for-‐unforgivable-‐breach-‐of-‐data-‐protec,on-‐act
Reputa9onal damage
hVp://brianpennington.co.uk/2012/08/16/who-‐has-‐breached-‐the-‐data-‐protec9on-‐act-‐in-‐2012-‐find-‐the-‐complete-‐list-‐here/
Pharmacist who worked for West Essex Primary Care Trust
OK, OK please explain the law
The difference between US & EU
• Privacy – ACT Code of Fair Informa9on Prac9ce that governs the collec9on, maintenance, use, and dissemina9on of personally iden9fiable informa9on about individuals that is maintained in systems of
• Data Protec,on – law on the processing of data on iden9fiable living people. It is the main piece of legisla9on that governs the protec9on of personal data
Source: wikepedia
Direc9ve 95/46 EC • Member states must transpose direc9ve
– Germany: Federal Data Protec9on Act (Bundesdatenschutzgesetz)
– UK: ICO Data Protec9on Act and Privacy and Electronic Communica9ons Regula9ons 2003
• Implementa9on varies from member state to another
• EU plans to unify data protec9on with a single law – General Data Protec9on Regula9on
Legal Scope of Direc9ve 95/46 EC
• Territorial scope: – EU Member States and – Non-‐EU Member States that are part of the European Economic Area
• Iceland, • Norway and • Liechtenstein
• Material scope: – processing of – personal data
Processing Personal Data
• Processing = „any opera9on ... which is performed on personal data, whether or not by automa9c means, such as collec9on, recording, organiza9on, storage, adap9on or altera9on, retrieval, consulta9on, ...(art 2b)
• So what is personal data ?
Data is personal
if they relate to an iden9fied or at least
iden9fiable person, (data subject)
if addi9onal informa9on can be obtained without unreasonable effort,
allowing the iden9fica9on of the data subject
Examples for personal data
• Name, • Email adress, • Postal address, • bank statements, • credit card numbers … • Dynamic IP Number ?
Personal or not personal ?
• Data is anonymised if they no longer contain any iden9fiers
• Anonymised data are not personal data • Therefore no data protec9on law applicable • Anonymise Data is currently this only best prac9ce to convert personal data instead of dele9ng these data
Who is the responsible for Data Protec9on ?
• Responsible party is called „Controller“ – Natural or ar9ficial person, – public authority, – agency .. – which determines the purposes and means of the processing of personal data
• Must be related to EU ! – controller is established or operates within the EU – controller uses equipment located inside the EU to process personal data
Rules for processing Personal Data Personal Data should not be processed
except certain condi9ons are
met:
Transparency Propor9onality Legi9mate purpose
Legi9mate purpose Data may be processed:
When the processing is necessary for the performance of or the entering into a contract
When the processing is necessary for compliance with a legal obliga9on
When processing is necessary to protect the vital interest of the data subject or
The data subject has given his consent
Summary – Data Protec9on
• In prac9ce the issue of data protec9on refers to all businesses which electronically process data, – from wage accoun9ng of their own employees, – collec9ng of customer data, – storing one of these data in the cloud
• mainly legi9ma9on based – on performance of a (future) contract or – on a given consent by data subject
Part II. Implica9ons for using social business so/ware
• Social Business So/ware – So/ware systems that primarily func9ons to allow SOCIAL user collabora9on and communica9on
• Focus to people‘s business networks – Profiles: TINE ‘s Key applica9on colle9ng HR Data and CVs
– Blogs – Ac9vi9es – Status and Open Calendar’s
Social „Intelligence“
�
Social „Intelligence“
Best prac9ces for social business
• Balancing of enterprise vs personal interests is absolutely mandatory
• Consent of employees might be required – German legal prac9ce: simple directory of experts containing name, job descrip9on etc are considered as legi9mated processing
– For directories with extended func9onali9es the consent of each data subject is necessary
– a consent is valid for the dura,on of the employment only
Best Prac9ce: Recommenda9on
• You need a legal permission or consent of the data subject to be on the safe side – Employee – External users
• You need a procedure to deal with users leaving company or social network – They might leave “peacefully” BUT – Employee consent will end when leaving the company – Ex Employee can withdraw their consent and/or request for data dele9on
When do you share knowledge ?
„In a social enterprise, your value will not be what you know; it will be what you share.“ IBM CEO Ginni RomeVy
You need confidence and trust in data protec9on to share knowledge
Part III. Social Business in the cloud
• Social Business Systems are moving cloud first – IBM Connec9ons Cloud – Office 365
Microso/ declared to stop developing On Premise Collabora9on Products a/er 2015 IBM is s9ll providing On Premise but would love to move YOU to the cloud • 1.2 Billion $ Investment for Cloud business
Responsibility for data protec9on in the cloud ?
Data processing in cloud services is
subject to European and na,onal data protec9on law
Responsibility for data protec9on lies with the customer using the cloud services
What are customers responsibili9es ?
WriVen contract for carrying out data
processing on behalf is mandatory
Determina9on where the data is technically
processed
Cloud provider should be obliged to use technical infrastructure within the European Economic Area
Processing personal data in the cloud
• Processing of personal data needs to be legi9mated either – by a legal permission or – by consent of the data subject
• But – Legal permission is limited as we have seen already – Individual Consent of every cloud user might be difficult to obtain
• Solu9on ?
Processing personal data on behalf
A company may choose another organisa9on to process data on its behalf : data processor
Company remains responsible for ensuring its processing complies with data protec9on law
Where a data processor is used the data controller must ensure that suitable arrangements are in place in order to comply with data protec9on law
TRANSPARENCY is No1 issue in the cloud
Personal Data should not be processed
Transparency Propor9onality Legi9mate purpose
So how to deal with cloud providers ?
• Cloud provider must disclose where data processing takes place
• Cloud provider must implement appropriate technical and organisa9onal measures in order to protect personal data
• Cloud user has to review such measures • Agreement whether cloud provider may assign subcontractors – Where is the subcontractor located, where is the data ?
Exkurs Cloud and Data Transfer
• Direc9ve 95/46 EC prohibits transfer of personal data to Non-‐EU countries that do not meet the EU´s adequacy standard for data protec9on
• Within the EU -‐ adequate level of data protec9on • Outside of Europe it depends
– Safe third countries: • Switzerland, Canada, Israel, Argen9na, New Zealand, Australia, Uruguay
• USA (Safe Harbor) • Andorra, Faeroe Islands, Guernsey, Isle of Man, Jersey
Data Transfer to the United States
• Safe Harbor Framework – Recognised by the EU Commission as providing adequate protec9on
– Cloud providers in the US can sign up to the Safe Harbor Scheme
– A list of organisa9ons that have joined Safe Harbor is available at hVp://www.export.gov/safeharbor/
– It may be advisable to combine Safe Harbor and EU Standard Contractual Clauses in cases of doubt
Cloud and Data Transfer data transfers
• Countries outside EU with no adequate level of data protec9on: – use the EU Standard Contractual Clauses
• hVp://ec.europa.eu/jus9ce/data-‐protec9on/document/interna9onal-‐transfers/transfer/index_en.htm
– Sufficient safeguards for data protec9on such as • Binding Corporate Rules (BCR) • EU Standard contractual clauses (for the transport of personal data to processors established in third countries)
