Exporting some of your operations to India or China is not plain sailing. It has major implications for data protection.
Offshoring of business operations has become a sore subject, both for those whose jobs are being exported and their trade unions. On other grounds, it is also a cause for concern among data security experts.
Offshoring continues apace, with India the clear leader in 2008. China, however, is the greatest challenger in terms of scale, according to Gartner's December 2008 report, 30 Leading Locations for Offshore Services.
But offshoring is no panacea for all ailments afflicting a business and is beset with complications. The failure of an offshored operation and its return onshore is likely to be welcomed by politicians and trade unions alike.
The reasons for failure are many. They can include lack of control over the offshored operation, often thousands of miles away, or the failure to deliver services properly due to a misunderstanding of what is actually required. These can lead to hoped-for reductions not materialising, because of the added cost of trying to ensure the offshored firm lives up to expectation.
And security is a problem, with so much data being exported to countries with lower standards of protection than in the EU. A UK firm will be aware of its obligations to keep data secure. Failure to protect customers could lead the business to be investigated by the Financial Services Authority (FSA) – or the Information Commissioner's Office (ICO) with its new powers (see my article, Legal matters: Commissioner's new teeth, SC, December 2008).
The Data Protection Act (DPA) highlights the dangers of transferring personal data outside the European Economic Area, as not all countries protect personal data to the same standards. Offshoring the service does not outsource responsibility to safeguard consumers' data.
Businesses should address the problems from the outset, including researching offshore partners and asking them direct questions about their approach to security to ensure they have the “appropriate technical and organisational measures” (as the DPA puts it). Do they have a secure building with swipe-card entry not just on external but internal doors? Is access to the data and certain parts of the building restricted to employees who are working specifically on the operations of that business? Do they use encryption? Do employees sign contracts on how they handle data? Are they trained about the risks of losing data?
If an offshore partner passes these tests or the business is convinced it will introduce appropriate measures, then these should be specifically identified in the contract. Legal documents can take time, so start this process early and don't compromise on data security, because the FSA and ICO won't. The EC has issued standard data export clauses that should help with this.
Take practical steps, too. Consider whether the fact that your offshore partner is an established player in your industry is an opportunity because it has the expertise to handle your business, or a threat because it means it also handles your competitor's operations – and data. Also, don't offshore more data than necessary (“adequate, relevant and not excessive”, in DPA-speak).
Consider too the methods of delivery and storage of the data. If the flow of data is electronic, is it encrypted? Can local copies be kept by the offshore partner? Can employees bulk-print data? A determined employee can do damage even with single page printing. Are USB ports locked down? Are employees prevented from taking camera phones to work? Can the partner undertake its offshore functions through virtualised data – for example, by using a Citrix link? This means there will be no local storage of the data, reducing the problems of leaving laptops on trains…
Even if the offshoring is in place, businesses can still seek to tackle security problems. If your offshoring partner will only introduce safeguards for an increase in cost, you may need to dig out your contract and see whether you can force the changes through – or terminate the operation.