Part 2 of this Q & A ran in the March 2007 issue of the Advisor.
Sagi Leizerov, Ph.D., CIPP, is a Senior Manager with Ernst & Young LLP. He helps lead the firm's Privacy Assurance and Advisory Services Practice. Leizerov interviews Mark Kobayashi-Hillary, a London-based advisor, writer and researcher who wrote Outsourcing to India: The Offshore Advantage, which was first published by Springer in 2004 and then updated to a new edition in 2005. Kobayashi-Hillary is a board member of the UK National Outsourcing Association with special responsibility for offshoring. He is a founding member of the British Computer Society working party on offshoring. He also is a visiting lecturer at London South Bank University where he is focused on contributing outsourcing knowledge to the MBA program.
Sagi: You mentioned that security took your USB flash drives and other devices when you did a site visit in India. The controls that companies in India implement seem to be a little bit more rigorous than what we have seen in the U.S. or in Europe. Can you list some of those differences?
Mark: The kinds of things that are different are very easily demonstrated. The big difference that you will notice in India is that they don't allow any communication devices. Even desk telephones are banned in many of the facilities where there is quite strict data protection. A good example is a company called NIIT Smartserve. The desks have computer monitors, so the people can perform the work, but they do not have access to the physical PC unit itself - so there is no way they can plug in an iPod or a USB key to access data. There is no way to print from the facilities. As people are going in and out of the office they are checked, so you can't carry things like USB keys or phones or iPods. Anything that could record data or information, or transmit it to the outside, is essentially banned. In most cases this is quite rigorously enforced.
Sagi: What kind of information should a company ask for when considering multiple vendors, especially with privacy and data protection in mind?
Mark: Certainly, ask what kind of international frameworks, such as BS 7799, or policies do they follow? But then in addition, what is standard policy on top of that? That could be both hiring policy as well as practical operational policy. You can certainly compare this among different companies, but you also want references and personal experience. If they are not willing to give you references, that should set off some alarms. Clearly, any of the reputable companies would be able to say to you, talk to this client, we have done a lot of work for them that has involved personal data and they are very happy with us. That should give you the feeling that the international standards are a hygiene factor.
Sagi: Are there differences among Indian companies and Western companies when it comes to the initial credentialing of a potential employee in terms of criminal background checks and things of that nature?
Mark: It is certainly harder to get information or to do a criminal background check than in the U.S. and Western Europe. I think the National Association of Software and Service Companies (NASSCOM) has taken on that role because it is hard to rely on the police force alone. Before NASSCOM, you might have seen things like companies insisting employees have a passport. It is still not that common to have a passport - and to get a passport, you have to go through various checks. Having a passport almost became a kind of de facto background check. But clearly, it is not satisfactory. And clearly if the NASSCOM registry can be promoted and integrated into the majority of hiring policies for all of the reputable vendors, then I think that you will see a lot more confidence in the kind of background checks that are being performed.
Sagi: So I have gone through meetings and site visits with several vendors and I have picked one, and I am going through a contracting process with that outsourcing vendor in India. The question that an IAPP audience would be interested in is, where do we start injecting specific language and requirements that have to do with privacy and data protection? Where does it fit within the contract and where does it fit within the service level agreement (SLA)? Can you distinguish between the two first?
Mark: Really, the contract is just the legal agreement stating that one will provide a service to the other, how long the agreement will last and basic terms. I don't generally see the contract as much of a live document. The service level agreement, which you would generally have as an appendix to the contract, is more of a live document that can be reviewed, used and updated as needed. Regarding data privacy, I think that because the contract is much more fixed, you would just put in some standard terminology regarding the kind of international standards that you expect the company to adhere to, but it would be within the service level agreement that you would put information about processes or operational delivery. And of course, regarding the contract itself, it depends on which legislation you use as well. To be honest, most times when people are contracting with a reputable Indian company, they will contract within the United States anyway. All of those companies will have a U.S. subsidiary company -and you can write a U.S.-to-U.S. company contract that is subject to U.S. law - so you don't generally have to get too involved in the specifics of Indian law.
Sagi: I found an interesting comment in your book about Indian culture and the fact that Indians sometimes have a problem saying no, and they tend to over-commit. When I am considering requirements and negotiating a contract or the details of the service level agreement with the vendor, how should I take that into consideration?
Mark: It would certainly be good to have someone with experience working with India or an Indian company negotiate the contract, either someone within your company or your third party advisor. Most of the reputable Indian companies now have experience negotiating SLAs and contracts with companies in the U.S. and Europe. They know what they can deliver and what they can't. But it is true that there are different cultural differences, and definitely one of the differences you can highlight in many anecdotes is this Indian desire to please, so you need to double-check.
Sagi: And then regarding the process by which companies would manage that relationship, what should they consider as they manage the relationship with their vendors? How do they monitor compliance?
Mark: What I have seen in quite a few companies where it involves personal customer data is expatriation into the vendor. An example is a company that I worked with in Delhi: They worked with a network of UK independent financial advisors and they sent details of the advice they gave to clients in the UK These clients are individuals applying for mortgages or arranging pensions - all very personal financial information - and this is all being sent to India to be double-checked. This organization sent one person over to India; he works for the company in the UK, but he now sits in the vendor office in India. You could say that is extreme and maybe it shows less trust within the partnership, but I think over time you can develop a sense of trust, and most times when you are talking about business process outsourcing, you don't want to make even one mistake, because one mistake hits the newspapers and you lose business.
Sagi: From your perspective, what would be the kind of steps that BPOs and outsourcing companies, in general, can do to further enhance the level of comfort Western companies have in their services in India?
Mark: To be honest, India feels a bit beaten up. If you look at the statistics, the places that are criticizing India actually have worse statistics on data protection. But clearly we are the ones who are buying the services from the companies in India, and it is in our best interest to try to improve the situation, so a lot of the criticism is well-founded. I think generally what they can do to make themselves more attractive is make sure that they've got some sort of verifiable hiring process so they can prove they've done good background checks on the people they hire. And secondly, demonstrate an unfailing attitude toward security. When I visit BPO companies in the UK nobody takes my mobile phone away. At a practical level they are already trying to go a step further than what we require of ourselves, and that is really because of the fear people have when information goes thousands of miles away.
The complete audio conference is available for sale on the IAPP's Web site, www.privacyassociation.org.