A Self-Regulatory Initiative in Data Security and Privacy Protection

Nandkumar Saravade and Ponnurangam Kumaraguru (PK)

India currently occupies the leading position in the IT outsourcing and Business Process Outsourcing (BPO) industry. India's total revenue due to IT and BPO outsourcing was US$33 billion, which is estimated to grow to US $60 billion by the year 2010. Increasing amounts of personal information is thus flowing to India from many countries.

The Indian ITeS (Information Technology Enables Services) and BPO industry, which started with the advantage of low-cost human resources, have now moved on to add quality, reliability and diversity as its differentiators. Companies maturing and successfully coping with the issue of scaling up and expanding, will now need to tackle the problem of offering consistent data security to the customers at an affordable cost. The security landscape is constantly evolving, as the threats, consumer perceptions and legislative and regulatory strategies keep changing. These are the challenges that demand effective responses.

The Indian ITES/BPO companies are striving hard to ensure the security of data and privacy protection. They are following the stringent security controls specified by their customers through contracts. However, many times, the problem cannot be contained by an individual company, irrespective of the cost incurred, and requires industry-level solutions. Successful security solutions require a convergence of the three components: technology, people and processes. Furthermore, a single security breach can tarnish the entire industry's image and the country's reputation as a safe destination for data. Smaller companies lack dedicated resources for handling security and need cost-effective approaches for demonstrative security levels.

India's National Association of Software and Service Companies (NASSCOM), the premier trade body and the chamber of commerce of the IT software and services industry in India, is dedicated to acting as a catalyst for the growth of the software-driven IT industry in India. Other goals include facilitation of trade and business in software and services; encouragement and advancement of research; propagation of education and employment; enabling the growth of the Indian economy; and providing compelling business benefits to global economies by global sourcing.

NASSCOM has been proactive in pushing these causes to ensure that the Indian information security environment benchmarks with the best across the globe. As a part of its Trusted Sourcing initiative, NASSCOM is in the process of setting up the Data Security Council of India (DSCI) as a Self Regulatory Organization (SRO) to establish, popularize, monitor and enforce privacy and data protection standards for India's IT & ITeS industry.

Self-Regulatory Organizations

The self-regulatory approach has been applied in different sectors around the globe including the:

   1. National Advertising Review Council (NARC). The NARC was formed in 1971 to guide and set standards of truth and accuracy in U.S. national advertising ;
   2. Financial Industry Regulatory Authority (FINRA). FINRA was formed in the U.S. in 2007 to protect investors and market integrity. FINRA educates securities firms and the investing public; enforces federal securities laws; and administers dispute resolution among investors and registered organizations;
   3. The Banking Codes and Standards Board of India (BCSBI) was formed in 2005 as a banking industry watchdog to ensure banks deliver what they promise to customers. In addition, there are other SROs in sectors such as accountancy, medical, telecom, and law around the world. As of the writing of this article, there are no SROs elsewhere created for the IT and BPO industry.

As a part of its Trusted Sourcing initiative, NASSCOM has engaged with the various stakeholders to understand the landscape to create an organization to help the Indian IT industry to achieve better security and data protection practices. The research concluded that self-regulation might be the best way for the Indian IT industry to address the security and data protection concerns of the customers from the U.S. and other countries. A few of the advantages for self-regulatory organizations are:

  • An industry body is best positioned to develop appropriate data privacy and security standards based on its greater knowledge and sophistication;
  • Prompt, efficient responses to industry requirements and market developments;
  • Higher compliance as the result of volunteer participation in the SRO; and
  • The cost of the regulation is borne by the industry rather than customers.

However, there are also limitations for SROs:

  • As the self-regulation is typically on a voluntary basis, the success is dependent on the number of its members. The greater the number of participants, the more effective it will be;
  • It is difficult for SROs to raise revenue to sustain and be operational; and
  • Since the membership is voluntary, organizations can refrain from becoming a member.

Looking at the advantages that an SRO can bring to the Indian IT and BPO industry, NASSCOM is currently in the process of establishing the DSCI. There is no other organization similar to DSCI around the world.

Mission for DSCI

The following objectives have been developed for DSCI based on NASSCOM's research, interactions with the experts, and the advice received from the Center for Information Policy Leadership (CIPL):

  • To create awareness among industry professionals and other stakeholders about security and privacy issues;
  • To build capacity and provide training among members to develop, and continually improve appropriate data protection and security programs;
  • To adopt, monitor and enforce an appropriate security and data protection standard for the Indian IT/ITES industry that would be adequate, cost effective, adaptable and comparable with the global standards;
  • To create a common platform for promoting sharing of knowledge about information security and to foster a community of security professionals and firms; and
  • To provide appropriate oversight and certification services for member organizations.
Current Status

As of October 2007, DSCI is in Phase I of its planned activities. DSCI has formed a board of directors comprising a mix of industry CEOs, NASSCOM officials, a former senior civil servant and an academician. DSCI also has formed a steering committee comprised of security experts, academicians, industry members and government officials. DSCI had the inaugural meeting of the steering committee members during mid-September 2007 in Bangalore, India. There were many interesting discussions and debates that took place during this meeting.

The members agreed on forming three different working groups to address specific issues. (1) Research: This group will focus on understanding the current status and interest of Indian organizations in the context of security, privacy and data protection. The group will conduct a survey to collect this data and write a report on the results; (2) Model contracts: This group's aim is to collect different types of contractual agreements from larger organizations or the consultancy companies, and disseminate them to smaller organizations. This will help the smaller organizations to develop their processes according to their clients' expectations. (3) Business model: This group's main focus will be on devising methods for DSCI to generate revenue.
The DSCI has embarked on a novel and ambitious plan and will chart its path with the help of all stakeholders.

Nandkumar Saravade is the Director of Cyber Security and Compliance at NASSCOM. Nandkumar is an Indian Police Service (IPS) officer. He specializes in cybercrime issues. He is handling NASSCOM's outreach program on cyber security, focusing on law enforcement capacity building on cybercrime response and enhancing. He can be reached at saravade@nasscom.org.

Ponnurangam Kumaraguru (PK) is a Ph.D. candidate in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests include building systems to educate users to make better trust decisions, trust modeling and international cyber security and privacy issues (specifically in India). PK is currently helping NASSCOM in planning and executing DSCI. He can be reached at ponguru@cs.cmu.edu.



  • To analyze the existing security and data protection practices among the organizations in India and to identify areas of improvement.
  • To create a repository of model contracts which organizations can re-use.
  • To create awareness among the industry for the importance of the security and data protection practices and raise the bar.
  • To create security forums throughout the country to generate awareness among the involved entities and indi-about the importance and measures for data protection.
  • To establish a credible governance structure for the DSCI.


  • To create various programs through which organizations in India will be trained on different security and data protection aspects.
  • To encourage and facilitate conferences, workshops, symposiums, and discussions on data security and data protections among client organizations and outsourcing service providers.
  • To consolidate, devise and enforce ethical standards and best practices in line with international standards for creating a secured environment for data in India that would be cost effective and easily adoptable.
  • To certify companies that adopt the DSCI standard.


  • To establish targets and propose timetables for achievement of the DSCI's goals.
  • To communicate industry initiatives and successes.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»