Companies interested in doing business globally must take data privacy issues very seriously because even one slip-up could be devastating to their corporate images, according to a panel of IT executives and other experts who discussed globalization issues at Computerworld's Premier 100 IT Leaders Conference here today.

Data privacy was just one of several topics covered by the panel, but it commanded the most attention from the speakers as well as from members of the audience during a question-and-answer session. Panelist David Aaron, a former undersecretary for international trade at the U.S. Department of Commerce, set the tone by warning that European officials could start bringing some high-visibility privacy cases against companies this fall.

Avoiding privacy problems is important because personal data "is the fuel for a lot of e-business," said Aaron, who is now senior international adviser at the Washington law firm of Dorsey & Whitney LLP. More than 40 countries already have privacy laws in place, with Europe having set the pace, he added. But even there, Aaron said, each country has its own privacy czar and much of the region's privacy directive "is maddeningly vague and inflexible."

The situation elsewhere can be even more uncertain. For example, Barbra Cooper, chief information officer (CIO) at Toyota Motor Sales USA Inc. in Torrance, California, said Japanese officials are becoming more aware of privacy concerns but haven't reached the level of the European Union in addressing the issue. Within Toyota itself, she noted, the Japan-based company's U.S. and European business units are taking the lead role in driving consideration of data privacy issues.

Aaron, who helped negotiate the safe harbor privacy agreement that was approved last year to give U.S. companies self-regulatory protection from Europe's stringent privacy laws, also warned that it typically "will be your competition that will turn you in" for alleged privacy violations. Companies could be potential targets "if you have anything stored on a server in Europe, or if you have a fulfillment operation [there]," he said.

In an electronic poll of the approximately 300 IT managers and other attendees in the audience, 69 percent of the respondents said their companies do business outside the U.S. now. But 48 percent indicated that they hadn't dealt with international privacy regulations yet. A further poll revealed that 26 percent of the attendees said their companies had simply copied data privacy policies from another business.

That approach "is dangerous," Aaron cautioned. The U.S. Federal Trade Commission will force companies to live up to their stated privacy policies, he said, "and if [your policy] doesn't reflect how information is really handled in your company, you can find yourself in real difficulty." Involving managers and other employees from a broad range of corporate functions will ensure that privacy policies reflect business and data-handling realities, Aaron suggested.

Bruce McConnell, president of Washington-based consulting firm McConnell International LLC, said developing countries such as India, China, South Korea, Brazil and Mexico provide "great opportunities" for companies looking to expand internationally. "But it's not for the fainthearted," he said. "You have to take your time and have a longer view than the next quarter."

When weighing business options in such countries, McConnell added, companies should look at the IT infrastructure and information security capabilities that are available there, as well as issues such as political leadership, workforce skills and the general business climate. They also should enlist help from local business partners and even government officials, especially since regulations that do exist may be vague or unenforced, he said.

Jim McLaughlin, vice president for international investments at Prudential Financial in Newark, New Jersey, said that approach is key virtually anywhere a company expands -- even in economically advanced countries such as Japan. "In a new country, you can spend months just learning regulatory issues," he said. "If you don't partner with local people who understand [them], you can get yourself in a bind."

Prudential's global Internet strategy includes common product branding and a similar look-and-feel to its various Web sites but with a degree of flexibility to allow sites in different countries to reflect their individual cultures, McLaughlin said. He also suggested that companies listen to local concerns and hire employees who live in the various countries where they're starting to do business. "Get people in-country who know what they're talking about," he said.