Digital Workplace, Collaboration & GDPR

euGDPRDigital Workplace and Collaboration

There is an expectation by employees that organizational collaboration, communication and connectivity will meet or exceed currently available market driven technologies.  This means people working in companies expect that they can collaborate in ways consistent with what they can do at home.

The Gig economy is here and it is supported by collaboration and social technologies.  The digital workplace is the unbinding and liberating movement from being stuck in a cube to having the ability to operate from anywhere at any time.    This global movement and practice enables us to execute in new and exciting ways.  Doctors can examine patients from far away places,  you can hold a meeting from anywhere,  you can close physical offices and have teams work virtually.    These new ways of collaboration and work can break down language barriers and create new ways to educate people in remote settings.   These technologies are truly changing everything.

The challenge that comes along with this new technology is the control of data and knowledge about individuals.    Data theft and identity theft has increased at exponential rates.  Companies are using data they have gained legally in new ways that border on a breach of ethics.  US law and regulation hasn’t kept up with the changes in technology.  Our digital footprint is more like a digital archive.    We leave traces and data about ourselves wherever we go.   There is an expectation today that we can as individuals be found on the internet.    In the US there is no specific right to privacy and control of our data.  This basically means that if we put something out on the network, there is an expectation that our data can be found and used.

This is true with the use of data in companies as well.   If we collaborate or leave data in an organization we work in, this data can persist indefinitely.    While there may be no reason to fear; many companies don’t need this data and they shouldn’t keep it.   This data may create additional risk for individuals or the company itself.

The EU as a body addresses some of these concerns in the form of basic rights for EU citizens.   The EU also protects EU residents.

The Basics

GDPR was created to protect EU citizens and residents in accordance with the EU Charter on Fundamental Rights.   This charter covers many areas of basic rights for EU citizens.  (Full charter)

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION

The peoples of Europe, in creating an ever closer union among them, are resolved to share a peaceful future based on common values.

Conscious of its spiritual and moral heritage, the Union is founded on the indivisible, universal values of human dignity, freedom, equality and solidarity; it is based on the principles of democracy and the rule of law. It places the individual at the heart of its activities, by establishing the citizenship of the Union and by creating an area of freedom, security and justice.

The Union contributes to the preservation and to the development of these common values while respecting the diversity of the cultures and traditions of the peoples of Europe as well as the national identities of the Member States and the organisation of their public authorities at national, regional and local levels; it seeks to promote balanced and sustainable development and ensures free movement of persons, services, goods and capital, and the freedom of establishment.

To this end, it is necessary to strengthen the protection of fundamental rights in the light of changes in society, social progress and scientific and technological developments by making those rights more visible in a Charter.

This Charter reaffirms, with due regard for the powers and tasks of the Union and for the principle of subsidiarity, the rights as they result, in particular, from the constitutional traditions and international obligations common to the Member States, the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Social Charters adopted by the Union and by the Council of Europe and the case-law of the Court of Justice of the European Union and of the European Court of Human Rights. In this context the Charter will be interpreted by the courts of the Union and the Member States with due regard to the explanations prepared under the authority of the Praesidium of the Convention which drafted the Charter and updated under the responsibility of the Praesidium of the European Convention.

Enjoyment of these rights entails responsibilities and duties with regard to other persons, to the human community and to future generations.  (Article 8 for data)

Article 8

Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

GDPR Definition – The authoritative documentation.  Looking at the authoritative data is a bit exhaustive but it is important to understand the law and the intent to protect EU citizens.

Data Protection

A major concern for US / Global companies is

Territorial Reach
The “extra territorial” reach of the GDPR is a key change that all non-EU entities will need to be aware of. Previously, EU law in this area applied only to those entities that control the use of the data and have some sort of establishment or equipment in the EU. However, the GDPR applies directly to any entity that processes personal data about EU residents in connection with (i) the offer of goods or services in the EU; or (2) the monitoring of behavior in the EU. Jurisdiction will therefore be measured digitally rather than physically, paying less attention to the physical location of the entity undertaking the processing. When assessing this reach, regulators will look to a variety of factors, including how a website references EU individuals, the currencies accepted and languages used. In addition, any profiling of EU individuals will fall squarely within these criteria. This is a huge shift and something that entities that were previously outside the scope of the current law but are now likely subject to the GDPR will need to absorb over the coming months.”

Read on at https://apps.americanbar.org/litigation/committees/technology/articles/spring2016-0516-eu-general-data-protection-regulation.html and https://www.compliancejunction.com/gdpr-for-us-companies/

Awareness

Last month, I sat down with a large group of CIO’s and brought up GDPR as a question.  Most of them were unaware of GDPR and haven’t taken any action.   On May 25th, 2018, GDPR will become enforceable.    If you haven’t heard..  the fines are designed to encourage companies to follow the regulation.    I am willing to bet that a few US companies along with global companies will be first on the list.

Forbes thoughts on GDPR

There is a “privacy shield” between the US-EU Privacy Shield

Things to Do

The clock is ticking and while most companies are focused on data coming from external consumers or customers, many are not concerned with their internal EU citizens.

The first thing to do is audit organizational risk around internal systems and employees.  Going beyond this initial audit companies should be looking at technologies that allow for the discovery, tagging and masking of high risk data.

Working with a trusted partner or service as a third party with the appropriate budget should be on the table.  If we consider the fine of 4% revenue or 20m Euro,  the investment will be well worth it.  I believe that companies initially fined will be more of a show to the world that the EU means business.   It will be a hit both financially and public show of the seriousness of the EU intent to protect her citizens.