Data privacy law compliance ‘not an obstacle’: NetApp lawyer

Ensuring compliance with data privacy laws is not an obstacle for enterprises, it’s a competitive advantage, claims NetApp’s chief privacy officer Sheila FitzPatrick.

A major “selling factor” is an organisation’s respect for an individual’s privacy; its transparency around what customer data is being used for; and ensuring its third-party providers are also complying with privacy legislation, FitzPatrick told CIO Australia.

“I want to do business with a company that I know for a fact takes privacy seriously rather than a company that sits there talking to me about encryption,” she said.

FitzPatrick – who advocates state privacy laws, working with the United States government, Council of the European Union, and data protection agencies worldwide – was in Australia to discuss the impact of our forthcoming data breach notification laws.

“To me, security is granted. I am never going to do business with a company that doesn’t care about security. But fundamentally if you don’t care about privacy, it’s not really going to matter,” she said.

Australia’s data breach notification laws – which will come in effect by 22 February 2018 – impose mandatory investigation and notification requirements on most businesses with an annual turnover greater than $3 million.

Fitzpatrick said she had met with people from hundreds of companies during her Australian tour and feels that only 40 per cent are aware of how the forthcoming legislation will impact their industries.

“Out of that 40 per cent, probably 95 per cent are thinking about GDPRs [the new European general data protection regulations], maybe five to 10 per cent might have heard about China’s new cyber security law and the data privacy components within that. Maybe less than one per cent have heard about Japan’s Protection of Personal Information Act, which came into effect on May 31 of this year.”

FitzPatrick said Australian organisations tend to view data privacy compliance regulations as “noise in the background” and aren’t necessarily paying too much attention to how the new laws will affect their operations.

“I know a lot of organisations are aware of the laws [Australian Privacy Principles] in Australia but I think a lot of organisations give lip service to it; there’s not a lot of enforcement,” FitzPatrick said.

But that’s going to change due to the new laws and Australia’s push to entice overseas businesses to invest here, she said.

"It’s a great country to invest in and a great place to live but that privacy laws are going to have to be in place and enforced to entice some of those businesses.”

In comparison, US-based Fitzpatrick said America has some of the least restrictive data privacy laws compared to the rest of the world. Data privacy is not normally at the forefront of what many US-based multinational companies “are looking at,” she said.

“Although the US government does talk about it, there are no laws mandating the protection of personal data to the extent that you see outside of the US.

“We certainly have in the US confidential obligations – protection around regulated industries, healthcare, government and financial information – but it’s a self-regulated regime as opposed to a legal regulatory framework that we have to comply with,” she said.

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia

Follow Byron Connolly on Twitter: @ByronConnolly