The Indian government has finally taken a step toward creating a comprehensive set of data protection rules to safeguard privacy, but the proposed regulations released this spring are likely to have a major impact on the global enterprises doing business with Indian outsourcers.
The draft regulations, which deal with the protection of personal information, are more stringent than either the Gramm-Leach-Bliley Act in the U.S. or the EU Directive in Europe and would create new requirements for companies that outsource to service providers in India or maintain their own operations there, say Miriam H. Wugmeister, partner in the law firm Morrison Foerster and Cynthia J. Rich, senior international policy analyst with the firm.
"Given all the personally identifying information, confidential information, and sensitive data collected by organizations, both purely online and in the course of doing business, it was about time that the Indian government took action to update its policy," says Tony Filippone, research vice president with outsourcing analyst firm HfS Research. He notes that India's privacy legislation has remained largely unchanged for more than 100 years.
The entire offshore outsourcing industry has been slow to protect personal data, says David Rutchik, partner in outsourcing consultancy Pace Harmon. Offshore outsourcing companies' lack of urgency around data protection has created a lot of uncertainty for outsourcing customers. (For more on China's draft data privacy regulations, read IT Outsourcing in China: What CIOs Need to Know About New Data Privacy Guidelines.)
The new rules are intended to showcase a new commitment by India to rigorously protect data, but they could dampen offshore outsourcing business. Most notably, prior written consent will be required—without exception—to collect and use sensitive data about Indian citizens and about any person who's personal information is collected within the country.
The specifics and timing of implementation and enforcement have not been clarified—and may not be for some time, "which puts every outsourcing client in limbo in the interim period," Filippone says. Companies with operations or data in India should take the following seven steps to prepare for possible implications.
1. Review current data protection policies and procedures. What data is being captured and stored in India? What opt-in or opt-out policies are in place? Document all existing internal rules.
2. Create a response team. Identify who would be involved with defining and implementing a response to India's privacy act once the details are clarified, says Stan Lepeak, director of research in KPMG's shared services and outsourcing advisory group. Team members might include CIO, legal counsel, outsourcing governance teams, and external consultants.
3. Take a closer look at customer-facing activities in India. Processes like order entry, customer service, collections, and outbound sales will be hardest hit if the new privacy law is enacted. "[Companies] will need to secure prior written consent from customers prior to collecting personal data over the phone, and even then, sensitive personal data won't be permitted to be shared unless it is deemed necessary," says Rutchik. "These types of issues may significantly impede an enterprise's ability to properly and efficiently interact with its customer base."
4. Consider the impact on IT's internal customers. Little notification is given to employees regarding collection and use of their personal data, even though systems supporting human resources, payroll, and help desk operations all contain sensitive personal data that could fall under the new privacy regulations. "I doubt every organization makes notifications to employees or writes privacy policies to include employee data so some back office operations are likely exposed to risk under this law," says Filippone.
5. Get on the same page with providers. Review all data protection policies and procedures in your offshore outsourcing contracts. "Obtain the service provider's interpretation of the act and have the providers explain how they plan to respond to the act's requirements," says Lepeak.
6. Prepare for increased standardization. "With these new regulations in place, offshore providers will likely become more rigid in how they operate and more reluctant to tailor their processes to meet customer needs," says Rutchik. "These restrictions could, in fact, make offshore providers less attractive as a result."
7. Protect yourself. IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law, say Wugmeister and Rich. "The new regulations may begin showing up in offshore outsourcing contracts as enterprises will want to be indemnified from specific actions by offshore providers," Rutchik says.