January 2021
At NetApp, privacy is more than a list of do’s and don’ts, or policies and processes. It’s integral to our culture. But culture varies significantly around the world—how do you know what NetApp’s corporate culture is really like? Our culture is best described in our underlying values of trust and integrity, as well as the principles on which we’ve built this culture, including NetApp’s privacy principles.
A principle is defined as “a comprehensive and fundamental law, doctrine, or assumption.” Privacy principles are therefore the underlying doctrine and rules that we follow in handling personal information.
The concept of privacy principles is not unique to NetApp. In fact, the Organization for Economic Co-operation and Development (OECD) has been setting principle-based guidelines for the protection of privacy since the 1980s. Privacy principles are also the baseline of the European Union’s General Data Protection Regulation (GDPR), and other governmental and nongovernmental organizations have agreed on their own generally accepted privacy principles.
NetApp’s eight privacy principles are based on our core values, set out in our Code of Conduct. For years, they’ve been stated in our internal documentation and training. NetApp has also aligned them with principles set forth by the OECD and the GDPR, and we commit to these privacy principles in our Binding Corporate Rules.
NetApp is committed to processing personal information fairly and lawfully. NetApp collects and uses personal information only for legitimate business needs, as outlined in the NetApp Privacy Policy and our products and services contracts. Our Privacy Policy has been revamped to more clearly and openly define these business needs, as well as delineate how the various contexts of our business influence our practices for data collection, use, processing, storage, sharing, and transfer. It is supported by internal policies, processes, and playbooks that are designed to ensure ongoing compliance with our commitments and our obligations under applicable laws.
NetApp specifies the purpose of the collection and use of personal information in our contracts. Primarily, this information is used in the process of doing business with our customers and running our own operations. Because the purpose for which we collect and use data varies by context, we’ve updated the NetApp Privacy Policy to reflect the various contexts under which we collect and use data, and to specify the related purposes for collection and use.
NetApp implements policies, processes, and playbooks to ensure that the personal information collected is limited to that which is necessary to meet the specified purposes. This includes privacy-by-design reviews of data collection and use practices, records-retention and handling policies, global corporate training on the protection of personal information, and technical and organizational processes designed to restrict unauthorized processing of personal information.
NetApp maintains policies and systems designed to ensure that reasonable steps are taken to help maintain the accuracy and completeness of all personal information. We offer self-service tools that our employees, customers, stakeholders, and partners can use to correct data about themselves, as well as email and telephone support (1-877-263-8277) where self-service is not available.
NetApp maintains technical, administrative, and organizational measures designed to prevent accidental destruction, loss, alteration, and protect against unlawful processing of and unauthorized access to personal information. These include designing and implementing security safeguards that are appropriate for the nature of the personal information in a system and the harm that could occur if the system were breached. These measures include a detailed incident response policy and procedure designed to promptly respond to and notify individuals of breaches of personal data. These processes may be included and documented in our third-party compliance certifications.
The principle of openness is built on the need to ensure that companies make information about their privacy policies and practices readily available. NetApp does this through our Privacy Policy and continuous research for ways to improve our communications and engagement, including building out additional resources such as the NetApp Trust Center and the information it contains.
Our commitment to openness goes beyond transparent publication of our business practices. It is also rooted in our corporate values of trust and integrity. Candor, honesty, and respect for the individual are core to our values, as expressed in the NetApp Code of Conduct. Openness in our treatment of personal information is one of the many ways in which we embody these values.
NetApp recognizes and respects individuals’ rights to participate in decisions about how their data is used and processed. Our commitment to individual participation is demonstrated in our self-service centers so that individuals can correct their data, and through multiple means of contact so that individuals can exercise their rights. It is also demonstrated in our privacy-by-design principles to help ensure that individual requests can be responded to appropriately and in a timely manner. The value we place on adaptability—our ability to evolve as global laws develop on the subject of individual participation rights—further testifies to this commitment.
All these principles would collapse without accountability for compliance. NetApp demonstrates our commitment to be accountable for protecting personal information through our Code of Conduct and global team of privacy specialists. Every employee at NetApp—all the way up to the CEO and the board of directors—is trained and held accountable for their role in protecting the personal information we control or process. We provide training and resources for our employees through our network of specialists, including our data protection officer in Europe and our chief privacy officer, who is responsible to our general counsel and board of directors.
Global data privacy laws are in a constant state of flux. Every few months, another state or country introduces new legislation or amends legislation designed to protect the personal information of its citizens or residents. Treating these as individual checkboxes for legal compliance could become an infinite list of tasks, paralyzing teams trying to innovate privacy solutions at scale. Fortunately, the vast majority of these laws to date share a foundation of common principles. By focusing first on principles, NetApp has designed a privacy program that scales to meet the evolving global legal environment.