BUSINESS GUIDE

Oracle NetSuite Data Privacy

Making the privacy program operational

Learn more at NetSuite.com

 Grab a seat and enjoy.
Read Time: 7 minutes

Oracle NetSuite Data Privacy

Making the privacy program operational

Introduction
Worldwide, data privacy—the appropriate collection, The complex requirements from the various privacy
securing and use of personal information—is rapidly regulations are mainly a challenge for multinational
evolving. Once largely the concern of compliance and businesses that have global or regional operations.
legal professionals, privacy now plays a pivotal role in Contradicting laws, industry and country-specific
business success and delivering competitive advantage. regulations and guidelines, combined with the need
The business of trust is big business. to comply with internal business policies, require
privacy programs that can address all these concerns
Recent changes in privacy law such as the EU General comprehensively. As a result, Oracle NetSuite has
Data Protection Regulation (GDPR) and the California developed a global privacy program capable of meeting
Consumer Privacy Act (CCPA) have imposed new and these compliance requirements.
additional obligations for businesses to consider. The
extraterritorial reach of these requirements may force The purpose of this business guide is to provide an
companies to comply even if the country of incorporation overview of Oracle NetSuite’s:
is outside the geographical boundaries where these
• Progress on the implementation of its Global Privacy
regulations originated.
Program, which addresses obligations arising from all
Furthermore, the growing number of privacy regulations applicable regulations.
have high fines for infringement, accompanied by
• Continuous monitoring and oversight activities to
increased oversight. Regulatory bodies around the globe
support its commitment to protecting the personal
have pushed for more accountability—it is not sufficient
information of individuals and customers.
to claim compliance without being able to demonstrate it.
These changes in privacy regulations require businesses
to implement appropriate structure, processes, and
documentation to show that they have implemented the
requirements for compliance.

© Oracle | Terms of Use and Privacy Page 2

Table of Contents

1 2
Introduction Developing the Governance
Privacy Program and Oversight:
The Compliance
Department

Page 2 Page 4 Page 5

3 4
Operationalizing Demonstrating
the Privacy Compliance
Program and Continuous
Improvement

Page 6 Page 8
CHAPTER 1

Developing the Privacy Program

Oracle NetSuite’s approach towards regulatory privacy The program was built to address the most restrictive
compliance is driven by its goal to be the trusted place regulations and is supplemented by establishing
for personal information, and that data privacy happens regional or country-specific requirements. The program
by default through the technology, processes and people also aligns with industry standards and frameworks
involved in the delivery of SaaS offerings. This approach such as ISO 27701, 27018, the NIST Privacy Framework,
includes promoting a privacy-aware culture across and the EU General Data Protection Regulation—Code
the organization. of Conduct that allows integration with information
security, risk management, and governance. The
The company’s overall privacy strategy takes into privacy requirements, through the privacy program,
consideration the data life cycle, processing activities are incorporated in relevant areas of compliance and
and regions where Oracle NetSuite operates. management programs.

Relationship of the Privacy Program to other Management Programs

© Oracle | Terms of Use and Privacy Page 4

CHAPTER 2

Governance and Oversight:

The Compliance Department

Oracle NetSuite has adopted a hybrid governance model The Oracle NetSuite Compliance Department
to manage privacy compliance. The model is composed implements policies, defines privacy standards, and
of a central oversight body providing guidance and enforces security standards and other safeguards
direction. Respective lines of businesses are responsible in accordance with applicable data privacy laws and
for operationalizing the privacy requirements in regulations. Lines of businesses are involved to ensure
partnership with the oversight body. the confidentiality, integrity, availability, and privacy of
personal information across the data lifecycle.
As part of this approach, Oracle NetSuite has a
Compliance Department that manages security and The Oracle NetSuite Compliance Department is staffed
privacy compliance programs that implement and by qualified privacy professionals with backgrounds
manage the organization-wide privacy program covering in governance, risk management, audit, systems
all Oracle NetSuite business locations globally. The Oracle engineering, consulting and privacy law. These
NetSuite Compliance Department is under the Trust professionals undergo continuous professional
Services organization which is composed of Security, development to build and enhance their skills to support
Vulnerability Management and Compliance teams that and sustain the Global Privacy Program.
are responsible for ensuring the security, privacy and
compliance of Oracle NetSuite SaaS offerings.

© Oracle | Terms of Use and Privacy Page 5

CHAPTER 3

Operationalizing the Privacy Program

The Privacy Program covers of five major function areas which the program was built and applied across the data
called “pillars,” which are underpinned by seven privacy lifecycle. The pillars represent the collective business
disciplines. The disciplines are the foundation upon processes and risk areas covered by the privacy program.

Oracle NetSuite Privacy Program Pillars

© Oracle | Terms of Use and Privacy Page 6

 The Seven Privacy Disciplines

The privacy program operates using a cross-functional Areas of concern that might be implicated, such
method wherein each program pillar supports the as the supply chain and employee awareness, are
organizational privacy initiatives. The privacy initiatives also considered.
are determined by looking at relevant data protection
The goal is to consistently implement effective data
laws, regulations and any other compliance requirements
governance across business functions to minimize risk
stemming from contractual obligations and organizational
and exposure for unauthorized disclosure, deletion,
policies in consideration of the business process or
sharing and misuse of personal information.
services in scope. The program directs its efforts based
on perceived privacy risks, including implementing
appropriate privacy by design and default solutions.

© Oracle | Terms of Use and Privacy Page 7

CHAPTER 4

Demonstrating Compliance
and Continuous Improvement

Oracle NetSuite continues to measure the privacy Oracle NetSuite also aligns with the ISO 27701 Privacy
program’s performance based on the pillars. Improvements Information Management System standard which serves
in the strategy and program methodology are applied as as a baseline for managing privacy in a global enterprise.
necessary to adjust to the evolving privacy landscape and This Privacy Information Management System overlays
to sustain a privacy and data protection aware culture. on to the Information Management System and it evolves
as the business matures.
Oracle NetSuite has various security and privacy
certifications and continuously explores other industry Ensuring your business has the right controls in place to
certifications and attestation reports that can further meet risk objectives can seem like a daunting task but
assert Oracle NetSuite’s security and privacy posture. following simple steps can set you on the right path. For
Oracle NetSuite has two current privacy certifications: more information on Oracle NetSuite’s Governance, Risk
and Compliance capabilities, visit NetSuite GRC.
1. ISO 27018:2019. Oracle NetSuite has extended the
ISO 27001 Information Security Management System
to include the ISO 27018 control set, demonstrating
protection and adequacy for processing Personal
Information as a Public Cloud Hosting Provider.

2. EU Cloud Code of Conduct. Oracle NetSuite’s

adherence to the EU Cloud Code of Conduct (CoC) has
been verified and published on the monitoring body’s
public registry. The CoC has been designed to define
general requirements for cloud service providers as
processor, demonstrating sufficient guarantees under
Art. 28.1-4 of EU GDPR.

© Oracle | Terms of Use and Privacy Page 8

www.netsuite.com
[email protected]
877-638-7848

facebook.com/netsuite

twitter.com/netsuite

linkedin.com/company/netsuite

instagram.com/oraclenetsuite

Copyright © 2023, Oracle and/or its affiliates. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject
to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and
conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to
this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without our prior written permission. Oracle, Java, and MySQL are registered trademarks of Oracle and/
or its affiliates. Other names may be trademarks of their respective owners.