IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY

Part 2 of this Q & A ran in the March 2007 issue of the Advisor.

Sagi Leizerov, Ph.D., CIPP, is a Senior Manager with Ernst & Young LLP. He helps lead the firm's Privacy Assurance and Advisory Services Practice. Leizerov interviews Mark Kobayashi-Hillary, a London-based advisor, writer and researcher who wrote Outsourcing to India: The Offshore Advantage, which was first published by Springer in 2004 and then updated to a new edition in 2005. Kobayashi-Hillary is a board member of the UK National Outsourcing Association with special responsibility for offshoring. He is a founding member of the British Computer Society working party on offshoring. He also is a visiting lecturer at London South Bank University where he is focused on contributing outsourcing knowledge to the MBA program.

You mentioned that security took your USB flash drives and other devices when you did a site visit in India. The controls that companies in India implement seem to be a little bit more rigorous than what we have seen in the U.S. or in Europe. Can you list some of those differences?

Mark: The kinds of things that are different are very easily demonstrated. The big difference that you will notice in India is that they don't allow any communication devices. Even desk telephones are banned in many of the facilities where there is quite strict data protection. A good example is a company called NIIT Smartserve. The desks have computer monitors, so the people can perform the work, but they do not have access to the physical PC unit itself - so there is no way they can plug in an iPod or a USB key to access data. There is no way to print from the facilities. As people are going in and out of the office they are checked, so you can't carry things like USB keys or phones or iPods. Anything that could record data or information, or transmit it to the outside, is essentially banned. In most cases this is quite rigorously enforced.

What kind of information should a company ask for when considering multiple vendors, especially with privacy and data protection in mind?

Certainly, ask what kind of international frameworks, such as BS 7799, or policies do they follow? But then in addition, what is standard policy on top of that? That could be both hiring policy as well as practical operational policy. You can certainly compare this among different companies, but you also want references and personal experience. If they are not willing to give you references, that should set off some alarms. Clearly, any of the reputable companies would be able to say to you, talk to this client, we have done a lot of work for them that has involved personal data and they are very happy with us. That should give you the feeling that the international standards are a hygiene factor.

Are there differences among Indian companies and Western companies when it comes to the initial credentialing of a potential employee in terms of criminal background checks and things of that nature?

It is certainly harder to get information or to do a criminal background check than in the U.S. and Western Europe. I think the National Association of Software and Service Companies (NASSCOM) has taken on that role because it is hard to rely on the police force alone. Before NASSCOM, you might have seen things like companies insisting employees have a passport. It is still not that common to have a passport - and to get a passport, you have to go through various checks. Having a passport almost became a kind of de facto background check. But clearly, it is not satisfactory. And clearly if the NASSCOM registry can be promoted and integrated into the majority of hiring policies for all of the reputable vendors, then I think that you will see a lot more confidence in the kind of background checks that are being performed.

So I have gone through meetings and site visits with several vendors and I have picked one, and I am going through a contracting process with that outsourcing vendor in India. The question that an IAPP audience would be interested in is, where do we start injecting specific language and requirements that have to do with privacy and data protection? Where does it fit within the contract and where does it fit within the service level agreement (SLA)? Can you distinguish between the two first?

Really, the contract is just the legal agreement stating that one will provide a service to the other, how long the agreement will last and basic terms. I don't generally see the contract as much of a live document. The service level agreement, which you would generally have as an appendix to the contract, is more of a live document that can be reviewed, used and updated as needed. Regarding data privacy, I think that because the contract is much more fixed, you would just put in some standard terminology regarding the kind of international standards that you expect the company to adhere to, but it would be within the service level agreement that you would put information about processes or operational delivery. And of course, regarding the contract itself, it depends on which legislation you use as well. To be honest, most times when people are contracting with a reputable Indian company, they will contract within the United States anyway. All of those companies will have a U.S. subsidiary company -and you can write a U.S.-to-U.S. company contract that is subject to U.S. law - so you don't generally have to get too involved in the specifics of Indian law.

I found an interesting comment in your book about Indian culture and the fact that Indians sometimes have a problem saying no, and they tend to over-commit. When I am considering requirements and negotiating a contract or the details of the service level agreement with the vendor, how should I take that into consideration?

Mark: It would certainly be good to have someone with experience working with India or an Indian company negotiate the contract, either someone within your company or your third party advisor. Most of the reputable Indian companies now have experience negotiating SLAs and contracts with companies in the U.S. and Europe. They know what they can deliver and what they can't. But it is true that there are different cultural differences, and definitely one of the differences you can highlight in many anecdotes is this Indian desire to please, so you need to double-check.

Sagi: And then regarding the process by which companies would manage that relationship, what should they consider as they manage the relationship with their vendors? How do they monitor compliance?

What I have seen in quite a few companies where it involves personal customer data is expatriation into the vendor. An example is a company that I worked with in Delhi: They worked with a network of UK independent financial advisors and they sent details of the advice they gave to clients in the UK These clients are individuals applying for mortgages or arranging pensions - all very personal financial information - and this is all being sent to India to be double-checked. This organization sent one person over to India; he works for the company in the UK, but he now sits in the vendor office in India. You could say that is extreme and maybe it shows less trust within the partnership, but I think over time you can develop a sense of trust, and most times when you are talking about business process outsourcing, you don't want to make even one mistake, because one mistake hits the newspapers and you lose business.

From your perspective, what would be the kind of steps that BPOs and outsourcing companies, in general, can do to further enhance the level of comfort Western companies have in their services in India?

To be honest, India feels a bit beaten up. If you look at the statistics, the places that are criticizing India actually have worse statistics on data protection. But clearly we are the ones who are buying the services from the companies in India, and it is in our best interest to try to improve the situation, so a lot of the criticism is well-founded. I think generally what they can do to make themselves more attractive is make sure that they've got some sort of verifiable hiring process so they can prove they've done good background checks on the people they hire. And secondly, demonstrate an unfailing attitude toward security. When I visit BPO companies in the UK nobody takes my mobile phone away. At a practical level they are already trying to go a step further than what we require of ourselves, and that is really because of the fear people have when information goes thousands of miles away.

The complete audio conference is available for sale on the IAPP's Web site, iapp.org.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»