Indian BPO units address security concerns

Employees are frisked before entering the facilities of Wipro Spectramind, the business process outsourcing (BPO) unit of Wipro...

Employees are frisked before entering the facilities of Wipro Spectramind, the business process outsourcing (BPO) unit of Wipro in Bangalore.

Mobile phone use is prohibited and technology is used to monitor and record data records accessed through employee computers.

"All our facilities are also fully monitored by electronic surveillance, and we have access controls as well," said Raman Roy, chairman and managing director of Wipro Spectramind in Delhi.

In an effort to increase information security, Indian BPO companies now conduct thorough background employee checks, often even looking at school and college records.

"We also do a lot of our hiring through referrals by our current employees, which helps us in getting people whose credentials are easily verified," said Shanmugan Nagarajan, founder and chief operating officer of 24/7 Customer, a Bangalore-based BPO company.

The BPO industry also circulates a list of employees who were fired on disciplinary grounds, Nagarajan added.

Intrusive and Draconian as these measures may appear, they reflect the determination of Indian BPO companies to prevent data security and privacy breaches.

"If one instance of a data security breach should happen, then it will impact the entire Indian BPO industry," said Ashish Gupta, country head and chief operating officer of

US and UK unions opposed to outsourcing have questioned the prudence of having personal data processed in India. Amicus warned earlier this year that offshore outsourcing is "an accident waiting to happen".

To allay such concerns Indian BPO companies have stepped up security measures. "We have been very pleased with Wipro's performance and attention to security and privacy," said Chris Larsen, chief executive of E-Loan, a US loan company which outsources back-office underwriting functions for its home equity applications to Wipro Spectramind.

Companies outsourcing to India, however, also have to put in work at their end to ensure data security and privacy, Larsen noted. "In making the decision to outsource some of our back-office home equity processing to India, we vetted potential partners very carefully," said Larsen.

"We chose Wipro, based on their strong reputation and experience in the industry and, perhaps most importantly, on the fact that they have their own employees working directly on behalf of E-Loan. Some offshore outsourcers subcontract other outsourcers to do the work on their behalf, which makes it difficult to know and control who has access to customer information." 

Both to meet regulations in their own countries and to protect data, companies outsourcing to India keep their data on servers outside of India.

"For example, all customer data resides and is stored in E-Loan's domestic databases," Larsen said. "Our partner only has the ability to view that data, and they do not have the ability to store, share, print or retain data in their computers or systems in India." 

Norwich Union, which outsources call centre and back-office  processes to about five companies in India, also does not transfer data to its Indian contractors.

"We have a 'no data in India' rule, and the information is only available in India while the transaction is being processed," said John Hodgson, offshore program director at Norwich Union which incorporated provisions of the Data Protection Act and the EU Data Protection Directive into contracts with its Indian suppliers.

Although the data may reside on the client's servers rather than in India, staff in Indian BPO companies have access to that data. To that extent it is important that the data is protected at the India end as well, said Vikram Talwar, chief executive of Exlservice, a BPO company with its front-end marketing in New York and operations in Noida, near Delhi.

"There are technologies that protect the flow of data, and it is no less secure to send data electronically to India than, say, within the UK or the US," he said. "The bigger focus has to be on the physical security and people-related security issues."

India's BPO industry posted revenues of $3.6bn (£1.99bn) in the year to 31 March. It employs about 245,500 staff. Because of increased competition for employees attrition rates are high, with turnover at call centres the highest.

"As the industry scales in size and staff attrition goes up the issues of management of data and protecting privacy become all the tougher," said Muralidharan Ramachandran, chief security officer of TransWorks Information Services, a Mumbai-based BPO company.

Compliance with information security standards such as the ISO17799 and the BS7799 standard for information security management are now essential for BPO companies, said Talwar. But even as Indian BPO companies boost facility security the absence of stringent federal data protection laws is a major drawback.

"As India becomes a bigger base for BPO, especially for financial transactions like credit card and insurance transactions, it becomes important for us to have a law that fully protects the privacy of  individuals and the data about them," said Nandan Nilekani, chief executive of Infosys Technologies, a software services and BPO company in Bangalore.

The Indian government is expected to introduce amendments to its Information Technology Act 2000 this year that will fill these gaps and strengthen data protection and privacy rules, according to Mehta. It will then approach the EU and seek to negotiate an agreement similar to the Safe Harbor accord between the US and the EU, which allows data transfers from the EU to the US Mehta said.

To further reassure customers, Indian BPO companies are implementing disaster recovery and business continuity management plans. In most cases, these include setting up facilities outside India, besides having facilities at multiple locations within the country.

While some customers rely on their supplier others have their own disaster recovery and business continuity plans, said Roy. Norwich Union, for example, outsources to various companies in multiple locations within India.

"In the event of a failure, companies we outsource to in the UK will only get busier," said Hodgson, who added that the work done at the Indian operation is mainly an extension of work already being done in the UK.
Despite the security measures adopted by Indian outsourcers many foreign multinational companies have opted to establish their own BPO subsidiaries in India.

Norwich Union has a Build, Operate and Transfer model with its suppliers. "We decided on this model because we did not think any of the companies in India were at the level of maturity that we could simply outsource the work, with no ability to control any subsequent events," said Hodgson.

The idea is that in one to three years Norwich Union will have its own managers on the ground in India, he added.

John Ribeiro writes for IDG

Read more on IT outsourcing