A Self-Regulatory Initiative in Data Security and Privacy Protection

Nandkumar Saravade and Ponnurangam Kumaraguru (PK)

India currently occupies the leading position in the IT outsourcing and Business Process Outsourcing (BPO) industry. India's total revenue due to IT and BPO outsourcing was US$33 billion, which is estimated to grow to US $60 billion by the year 2010. Increasing amounts of personal information is thus flowing to India from many countries.

The Indian ITeS (Information Technology Enables Services) and BPO industry, which started with the advantage of low-cost human resources, have now moved on to add quality, reliability and diversity as its differentiators. Companies maturing and successfully coping with the issue of scaling up and expanding, will now need to tackle the problem of offering consistent data security to the customers at an affordable cost. The security landscape is constantly evolving, as the threats, consumer perceptions and legislative and regulatory strategies keep changing. These are the challenges that demand effective responses.

The Indian ITES/BPO companies are striving hard to ensure the security of data and privacy protection. They are following the stringent security controls specified by their customers through contracts. However, many times, the problem cannot be contained by an individual company, irrespective of the cost incurred, and requires industry-level solutions. Successful security solutions require a convergence of the three components: technology, people and processes. Furthermore, a single security breach can tarnish the entire industry's image and the country's reputation as a safe destination for data. Smaller companies lack dedicated resources for handling security and need cost-effective approaches for demonstrative security levels.

India's National Association of Software and Service Companies (NASSCOM), the premier trade body and the chamber of commerce of the IT software and services industry in India, is dedicated to acting as a catalyst for the growth of the software-driven IT industry in India. Other goals include facilitation of trade and business in software and services; encouragement and advancement of research; propagation of education and employment; enabling the growth of the Indian economy; and providing compelling business benefits to global economies by global sourcing.

NASSCOM has been proactive in pushing these causes to ensure that the Indian information security environment benchmarks with the best across the globe. As a part of its Trusted Sourcing initiative, NASSCOM is in the process of setting up the Data Security Council of India (DSCI) as a Self Regulatory Organization (SRO) to establish, popularize, monitor and enforce privacy and data protection standards for India's IT & ITeS industry.

Self-Regulatory Organizations

The self-regulatory approach has been applied in different sectors around the globe including the:

   1. National Advertising Review Council (NARC). The NARC was formed in 1971 to guide and set standards of truth and accuracy in U.S. national advertising ;
   2. Financial Industry Regulatory Authority (FINRA). FINRA was formed in the U.S. in 2007 to protect investors and market integrity. FINRA educates securities firms and the investing public; enforces federal securities laws; and administers dispute resolution among investors and registered organizations;
   3. The Banking Codes and Standards Board of India (BCSBI) was formed in 2005 as a banking industry watchdog to ensure banks deliver what they promise to customers. In addition, there are other SROs in sectors such as accountancy, medical, telecom, and law around the world. As of the writing of this article, there are no SROs elsewhere created for the IT and BPO industry.

As a part of its Trusted Sourcing initiative, NASSCOM has engaged with the various stakeholders to understand the landscape to create an organization to help the Indian IT industry to achieve better security and data protection practices. The research concluded that self-regulation might be the best way for the Indian IT industry to address the security and data protection concerns of the customers from the U.S. and other countries. A few of the advantages for self-regulatory organizations are:

  • An industry body is best positioned to develop appropriate data privacy and security standards based on its greater knowledge and sophistication;
  • Prompt, efficient responses to industry requirements and market developments;
  • Higher compliance as the result of volunteer participation in the SRO; and
  • The cost of the regulation is borne by the industry rather than customers.

However, there are also limitations for SROs:

  • As the self-regulation is typically on a voluntary basis, the success is dependent on the number of its members. The greater the number of participants, the more effective it will be;
  • It is difficult for SROs to raise revenue to sustain and be operational; and
  • Since the membership is voluntary, organizations can refrain from becoming a member.

Looking at the advantages that an SRO can bring to the Indian IT and BPO industry, NASSCOM is currently in the process of establishing the DSCI. There is no other organization similar to DSCI around the world.

Mission for DSCI

The following objectives have been developed for DSCI based on NASSCOM's research, interactions with the experts, and the advice received from the Center for Information Policy Leadership (CIPL):

  • To create awareness among industry professionals and other stakeholders about security and privacy issues;
  • To build capacity and provide training among members to develop, and continually improve appropriate data protection and security programs;
  • To adopt, monitor and enforce an appropriate security and data protection standard for the Indian IT/ITES industry that would be adequate, cost effective, adaptable and comparable with the global standards;
  • To create a common platform for promoting sharing of knowledge about information security and to foster a community of security professionals and firms; and
  • To provide appropriate oversight and certification services for member organizations.
Current Status

As of October 2007, DSCI is in Phase I of its planned activities. DSCI has formed a board of directors comprising a mix of industry CEOs, NASSCOM officials, a former senior civil servant and an academician. DSCI also has formed a steering committee comprised of security experts, academicians, industry members and government officials. DSCI had the inaugural meeting of the steering committee members during mid-September 2007 in Bangalore, India. There were many interesting discussions and debates that took place during this meeting.

The members agreed on forming three different working groups to address specific issues. (1) Research: This group will focus on understanding the current status and interest of Indian organizations in the context of security, privacy and data protection. The group will conduct a survey to collect this data and write a report on the results; (2) Model contracts: This group's aim is to collect different types of contractual agreements from larger organizations or the consultancy companies, and disseminate them to smaller organizations. This will help the smaller organizations to develop their processes according to their clients' expectations. (3) Business model: This group's main focus will be on devising methods for DSCI to generate revenue.
The DSCI has embarked on a novel and ambitious plan and will chart its path with the help of all stakeholders.

Nandkumar Saravade is the Director of Cyber Security and Compliance at NASSCOM. Nandkumar is an Indian Police Service (IPS) officer. He specializes in cybercrime issues. He is handling NASSCOM's outreach program on cyber security, focusing on law enforcement capacity building on cybercrime response and enhancing. He can be reached at saravade@nasscom.org.

Ponnurangam Kumaraguru (PK) is a Ph.D. candidate in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests include building systems to educate users to make better trust decisions, trust modeling and international cyber security and privacy issues (specifically in India). PK is currently helping NASSCOM in planning and executing DSCI. He can be reached at ponguru@cs.cmu.edu.



  • To analyze the existing security and data protection practices among the organizations in India and to identify areas of improvement.
  • To create a repository of model contracts which organizations can re-use.
  • To create awareness among the industry for the importance of the security and data protection practices and raise the bar.
  • To create security forums throughout the country to generate awareness among the involved entities and indi-about the importance and measures for data protection.
  • To establish a credible governance structure for the DSCI.


  • To create various programs through which organizations in India will be trained on different security and data protection aspects.
  • To encourage and facilitate conferences, workshops, symposiums, and discussions on data security and data protections among client organizations and outsourcing service providers.
  • To consolidate, devise and enforce ethical standards and best practices in line with international standards for creating a secured environment for data in India that would be cost effective and easily adoptable.
  • To certify companies that adopt the DSCI standard.


  • To establish targets and propose timetables for achievement of the DSCI's goals.
  • To communicate industry initiatives and successes.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»