Outsourcing deals could fall foul of EU data privacy
directive.
Increasing numbers of companies are moving their IT systems
offshore to low-cost countries such as India. However, in the rush
to cut costs, companies risk falling foul of privacy rules that
affect personal data held by companies.
The EU Privacy Directive 1998 aims to protect the privacy of
citizens when their personal data is being processed. The data
covered by the directive may include sensitive employee or
customer-related data.
One of the provisions of this directive, article 25, addresses the
transfer of personal data to any country outside of the EU. This
part of the directive is of most concern to UK businesses that
outsource their IT or business operations to overseas
organisations.
The article states that EU members can transfer personal data to
such a country for processing if that country ensures an adequate
level of protection for data protection.
Article 25 also outlines the principles of adequate data
protection, such as how the data is transferred to the non-EU
country and the duration and purpose of this transfer. It also
stipulates the rules that remain in force in the third
country.
The European Commission has not approved common offshore
destinations such as India as complying with the EU privacy rules.
Until it does, UK companies are heavily restricted as to the types
of activities that can be performed offshore. A company exporting
data overseas has to show that the outsourcer meets data protection
guidelines.
Companies are also likely to face challenges from unions over
processing data offshore. In August, for instance, a trade union at
Lloyds TSB bank challenged the right of the bank to send sensitive
personal information about its customers offshore to India for
processing.
Privacy enforcement in India is weak, but the law makers in India
and Nasscom (the Indian trade organisation) have been working to
get a privacy law passed.
UK companies that outsource to a non-EU country should follow a
data privacy policy that covers technology, people and business
processes and legal issues to mitigate the risks.
Sridhar Balaji is president and chief executive of outsourcing
adviser SourceSentry
Points to watch
- Ensure that the contractual arrangement covers security and
privacy obligations. Include language in the contract to articulate
your expectations and stringent penalties for violations.
- Review your provider's organisational policies and awareness
training for its employees. Work with your provider to identify and
classify the data that leads to a privacy framework and ensure that
the provider can implement it. Review your provider's employee
screening.
- Encrypt data that does not need to be seen by service
providers. Ensure the provider has adequate security technology -
not just firewalls and virus scanners - on the infrastructure that
runs your IT.