Plan for data protection rules when moving IT work offshore

Outsourcing deals could fall foul of EU data privacy directive.

Outsourcing deals could fall foul of EU data privacy directive.

Increasing numbers of companies are moving their IT systems offshore to low-cost countries such as India. However, in the rush to cut costs, companies risk falling foul of privacy rules that affect personal data held by companies.

The EU Privacy Directive 1998 aims to protect the privacy of citizens when their personal data is being processed. The data covered by the directive may include sensitive employee or customer-related data.

One of the provisions of this directive, article 25, addresses the transfer of personal data to any country outside of the EU. This part of the directive is of most concern to UK businesses that outsource their IT or business operations to overseas organisations.

The article states that EU members can transfer personal data to such a country for processing if that country ensures an adequate level of protection for data protection.

Article 25 also outlines the principles of adequate data protection, such as how the data is transferred to the non-EU country and the duration and purpose of this transfer. It also stipulates the rules that remain in force in the third country.

The European Commission has not approved common offshore destinations such as India as complying with the EU privacy rules. Until it does, UK companies are heavily restricted as to the types of activities that can be performed offshore. A company exporting data overseas has to show that the outsourcer meets data protection guidelines.

Companies are also likely to face challenges from unions over processing data offshore. In August, for instance, a trade union at Lloyds TSB bank challenged the right of the bank to send sensitive personal information about its customers offshore to India for processing.

Privacy enforcement in India is weak, but the law makers in India and Nasscom (the Indian trade organisation) have been working to get a privacy law passed.

UK companies that outsource to a non-EU country should follow a data privacy policy that covers technology, people and business processes and legal issues to mitigate the risks.

Sridhar Balaji is president and chief executive of outsourcing adviser SourceSentry

Points to watch

  • Ensure that the contractual arrangement covers security and privacy obligations. Include language in the contract to articulate your expectations and stringent penalties for violations.
  • Review your provider's organisational policies and awareness training for its employees. Work with your provider to identify and classify the data that leads to a privacy framework and ensure that the provider can implement it. Review your provider's employee screening.
  • Encrypt data that does not need to be seen by service providers. Ensure the provider has adequate security technology - not just firewalls and virus scanners - on the infrastructure that runs your IT.

Read more on Privacy and data protection