Author: Asha McLean / Source: ZDNet
Under privacy laws, organisations should only be collecting the minimal amount of data needed to manage the relationship with a customer, NetApp chief privacy officer Sheila Fitzpatrick has said, noting that if an organisation suffers a breach, holding minimal information can lessen the overall risk.
“If you have a cyber attack, you’re going to have to justify why you were collecting certain data,” Fitzpatrick said.
She said questions are bound to arise as to why an organisation even held data that it didn’t explicitly tell customers it was collecting.
Of concern to Fitzpatrick is that a lot of organisations seem to think privacy is synonymous with security, and that having a security solution in place solves the privacy aspect.
“If you’re encrypting data you’re not legally allowed to have, security’s not going to help you,” she said.
“If you don’t have your privacy compliance program in place, and you’re not obtaining the consent, and you’re not handling that data in the way that you’re allowed to handle it, but you say, ‘oh, we encrypted it’ — what good does that do you from a privacy perspective if you’re not legally allowed to have that data?”
Speaking with ZDNet while in Sydney for the Data + Privacy Asia Pacific conference last week, California-based Fitzpatrick said that gone are the days when data collection consent is obtained via a terms and conditions (T&Cs) form comprising buzzwords and legal jargon that only someone with a law degree can dissect.
“The problem became, the T&Cs were so complicated and ambiguous that you really weren’t…
Click here to read more