Under privacy laws, organisations should only be collecting the minimal amount of data needed to manage the relationship with a customer, NetApp chief privacy officer Sheila Fitzpatrick has said, noting that if an organisation suffers a breach, holding minimal information can lessen the overall risk.
"If you have a cyber attack, you're going to have to justify why you were collecting certain data," Fitzpatrick said.
She said questions are bound to arise as to why an organisation even held data that it didn't explicitly tell customers it was collecting.
Of concern to Fitzpatrick is that a lot of organisations seem to think privacy is synonymous with security, and that having a security solution in place solves the privacy aspect.
"If you're encrypting data you're not legally allowed to have, security's not going to help you," she said.
"If you don't have your privacy compliance program in place, and you're not obtaining the consent, and you're not handling that data in the way that you're allowed to handle it, but you say, 'oh, we encrypted it' -- what good does that do you from a privacy perspective if you're not legally allowed to have that data?"
Speaking with ZDNet while in Sydney for the Data + Privacy Asia Pacific conference last week, California-based Fitzpatrick said that gone are the days when data collection consent is obtained via a terms and conditions (T&Cs) form comprising buzzwords and legal jargon that only someone with a law degree can dissect.
"The problem became, the T&Cs were so complicated and ambiguous that you really weren't consenting to what those organisations were doing with your data; you were consenting to use their service and you were consenting to provide certain information that they needed, but you never really consented to having that data sold to a third-party, to be shared on the internet, to have organisations trawl through your social media to find information for you to be marketed to -- there's no way that you consented to that," she said.
"That's when privacy laws started to step up and say, 'The individual holds his or her data, not the organisation collecting it."
Moving forward, Fitzpatrick said those very ambiguous and cumbersome T&Cs will no longer be valid; rather they have to be clear, explicit, unambiguous, and easily understood.
Fitzpatrick said that although Europe has traditionally had the most restrictive laws, Asia Pacific is somewhat surpassing it. However, organisations in Europe have always had to obtain the explicit consent of the individual to store data in order to provide goods and services -- unless there was no way to provide services without having that data.
With Europe's General Data Protection Regulation (GDPR) coming into play next May, organisations need to have the explicit consent of an individual to store information on them.
"Outside of Europe, particularly in the US, Canada, and APAC, there was never a distinction between implied and forced consent or explicit consent," she said. "The laws were never really clear about what type of consent, whether it had to be explicit, whether implied consent was okay."
Although the GDPR only applies to organisations that have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU, Fitzpatrick believes it is organisational best practice to look to the most restrictive laws where the organisation has a presence and to map its privacy strategy based on that. In theory, that will cover everything below it.
With 35 years experience in the industry, the international privacy attorney explained that as the GDPR is more restrictive than the current Australian Privacy Act 1988, it's going to take precedence when it comes to investigating and prosecuting Australian-based organisations that offend under the GDPR.
"My message is always around: Your greatest asset is data and it also can be your greatest detriment," Fitzpatrick added.