Earning trust through principled privacy operations and transparency.
At NetApp, privacy is more than a list of do’s and don’ts, or policies and processes. It’s integral to our culture. But culture varies significantly around the world—how do you know what NetApp’s corporate culture is really like? Our culture is best described in our underlying values of trust and integrity, as well as the principles on which we’ve built this culture. This includes NetApp’s Privacy Principles.
A principle is defined as “a comprehensive and fundamental law, doctrine, or assumption.” Privacy principles are therefore the underlying doctrine and rules that we follow in treating personal information. Privacy principles are not a concept unique to NetApp. In fact, the Organization for Economic Co-operation and Development (OECD) has been setting principle-based guidelines for the protection of privacy since the 1980s.
Privacy principles are also the baseline of the EU General Data Protection Regulation (GDPR). Other governmental and nongovernmental organizations have agreed on their own generally accepted privacy principles. Across member countries of the OECD, these principles are aligned to address the following areas:
NetApp’s Privacy Principles are not new. These principles are based on our core values, set out in our Code of Conduct. For years, they’ve been stated in our internal documentation and training. NetApp has built these privacy principles on our core values and aligned them with principles set forth by the OECD and the GDPR. We also commit to these privacy principles in our Binding Corporate Rules.
Purpose specification and use limitation
Collection limitation and data minimization
NetApp implements policies, processes, and playbooks designed to ensure that the personal information collected is limited to that which is necessary to meet the specified purposes. This includes privacy-by-design reviews of data collection and use practices, records-retention and handling policies, global corporate training on the protection of personal information, and technical and organizational processes designed to restrict unauthorized processing of personal information.
Personal information is kept accurate and up to date. NetApp maintains policies and systems designed to ensure that reasonable steps are taken to help ensure the accuracy and completeness of such personal information. We maintain self-service tools that our employees, customers, stakeholders and partners can use to correct data about themselves, as well as email and telephone support where self-service is not available.
NetApp maintains technical, administrative, and organizational measures designed to prevent accidental destruction, loss, alteration, and unlawful processing of and unauthorized access to personal information. These include designing security measures that are appropriate for the nature of the personal information present in a system and the harm that could occur if the system were breached. These measures include a detailed incident response policy and procedure designed to promptly respond to and notify individuals of personal information data breaches. These processes may be included in our third-party compliance certifications.
Openness and transparency
Our commitment to openness goes beyond transparent publication of our business practices. It’s also rooted in our corporate values of trust and integrity. Candor, honesty, and respect for the individual are core to our values, as expressed in Our Code of Conduct. Openness in our treatment of personal information is one of the many ways in which we embody this value.
NetApp recognizes and respects individuals’ rights to participate in the decisions regarding how their data is used and processed. Our commitment to individual participation is demonstrated in our self-service centers where individuals can correct their data, and through our multiple means of contact where individuals can exercise their rights. It is also demonstrated in our privacy–by-design principles to help ensure that individual requests can be appropriately responded to in a timely manner and in the value we place on adaptability—our ability to evolve as global laws develop on the subject of individual participation rights.
All these principles will collapse without accountability for compliance. NetApp demonstrates our commitment to be accountable for our protection of personal information through Our Code of Conduct and global team of privacy specialists. Every employee at NetApp is trained and held accountable to their management—all the way up to the CEO and Board of Directors—for their role in protecting the personal information we control or process. We provide training and resources for our employees through our network of specialists, including our Data Protection Officer in Europe and our Chief Privacy Officer, who is responsible to our General Counsel and Board of Directors.
Global data privacy laws are in a constant state of flux. Every few months, another state or country introduces new legislation or amends legislation designed to protect the personal information of its citizens or residents. Treating these as individual checkboxes for legal compliance could become an infinite list of tasks paralyzing teams trying to innovate privacy solutions at scale. Fortunately, the vast majority (to date) of these laws have shared a foundation of common principles. By focusing first on principles, NetApp has designed a privacy program that is designed to scale to meet the evolving global legal environment.
NetApp’s approach to global data privacy laws and the movement of data across national borders
How we collect, use, process, store, transfer, and disclose personal information
The OECD plays a key role in promoting respect for privacy as a fundamental value especially as it relates to the free flow of personal data across borders.