Privacy Advisor

An Interview with an Expert on India and Outsourcing

March 1, 2007

Sagi Leizerov, Ph.D., CIPP, is a Senior Manager with Ernst & Young LLP. He helps lead the firm's Privacy Assurance and Advisory Services Practice. Leizerov interviews Mark Kobayashi-Hillary, a London-based advisor, writer and researcher who wrote Outsourcing to India: The Offshore Advantage, which was first published by Springer in 2004 and then updated to a new edition in 2005. Kobayashi-Hillary is a board member of the UK National Outsourcing Association with special responsibility for offshoring. He is a founding member of the British Computer Society working party on offshoring. He also is a visiting lecturer at London South Bank University where he is focused on contributing outsourcing knowledge to the MBA program.

Sagi:
Can you describe some of the key differences from a privacy and data protection perspective that are more obvious about doing business in the EU, the U.K. and the U.S. and India? Is there a specific India risk that we should be aware of?

Mark:
To start with, if you are looking at the kind of legislative differences and the types of framework that you have, that is not in place in India. You don't have that kind of safety net. There is no equivalent of the European Union directive on data protection or the U.S. equivalent, the concepts of Safe Harbor. Even in the most recent information technology legislation - which was written in 2000 - the idea of data protection was not included, so there is an immediate difference there in that you don't have that legal kind of framework around you to start with. That means that the environment is very much one of the private sector. The companies themselves actually have to demonstrate the capability rather than there being a law that they've got to adhere to.

The other sort of real major difference in working in an environment such as India is you are going to work in a developing country. You've still got quite an extreme policy in some parts of the country, and so what you will actually see is that the corporations have to build a lot of the infrastructure required to deliver the service that they are doing for you.

Sagi:
We hear so much about data leaks and violations related to the use of information by disgruntled employees. What is your view?

Mark:
In absolute terms there are many more data leaks from companies in the U.S., the U.K. and European service companies than there are from India. Certainly it is a much more interesting story to write about data leaks from Indian companies, but I think that there is also a sense that because we are talking about people who earn a much lower wage, essentially the kind of logic goes that if we are talking about bribing insiders to bring data out of a company, then essentially it should be much cheaper to do that. That is the kind of key worry that people have when they look at a place like India. But if you wanted to do a run-down of the most data leaks, probably you would find the U.S. at the top anyway.

Sagi:
When you talk to executives about the potential or the process of outsourcing to India, what would be some of the common myths that you hear from them and what are the realistic expectations as they relate to outsourcing business there?

Mark:
The immediate myth is that it is 10 times cheaper than doing work in the United States or in Western Europe - this idea that you can get greater quality/lower price. It is kind of sold as a myth that you can have it all basically. You can reduce your running costs, you can increase productivity, increase efficiency, re-engineer your processes - and at the same time, it is cheaper as well. It sounds impossible and really, to be honest, it is. It is true that operating costs are lower in an environment like India, but the whole restructuring of the way that you operate and the fact that you may need to entirely re-engineer your supply chain to fit your Indian supplier in the supply chain, or you may need to completely restructure the way you are doing business.

Sagi:
Can you describe NASSCOM and its role?

Mark: NASSCOM is the National Association of Software and Service Companies, and it is a Chamber of Commerce. It is representation of the IT services industry in India. It's got more than 1,000 member companies. They actually have been around since the '80s, so they are quite well-established, and given that their membership is 95 or 96 percent of the Indian high-tech IT and service industry, they are the voice of the industry. NASSCOM has been instrumental in actually trying to obtain changes to the IT Act of 2000. They have tabled amendments that they would like to make to the legislation to improve the situation around intellectual property and data protection, and it is true that it is basically sitting with the government at the moment. It is something that is promised to be introduced.

Sagi: NASSCOM has been pushing for more self-regulation opportunities for its constituents. Can you describe some of the activities and some of the actions NASSCOM has been taking from a self-regulation perspective for its members?

Mark:
India and the high-tech industry have exploded since the millennium, and they have embraced data protection. They have taken on this role almost like policemen of the industry. They have taken on the role of training the law enforcement officers in India, so NASSCOM is actually now working its way through training the police in India to understand cybercrime and problems around information technology. More importantly, they have set up a national skills registry - which was really a reaction to some of the data leaks that we have seen. They have tried to create this idea that people who work in the industry in India want to be trusted. So they have created a safe harbor where you can upload your resumé basically, so it is a complete history of where you have worked, who you have worked with, references you can give about the quality of your work. So if you are working within a BPO company (Business Process Outsourcing), then it becomes the de facto standard that the employer will check this National Skills Registry and have a look at your verified background before hiring you.

Sagi:
If I am a Western company concerned about privacy and data protection, does it make more sense for me to offshore my operations to create a sub-company or an additional company that is mine rather than outsourcing my services to a vendor?

Mark:
That question changes depending on each company and the exact details of the type of service they are trying to offshore. In general, I guess what we have observed in the marketplace is that where there is a great deal of personal data or data that could be utilized in some way, whether that is personal data about plants or about the business that the company performs, quite often we have seen that offshored rather than outsourced. I am thinking the best example is within investment banking, where you are looking at quite a lot of banks that have chosen to set up their own facilities. They have their own office located in India and they hire their own staff and put those people on their own contract.

Sagi:
OK, so I have made the decision to outsource my services to an Indian company. What kind of steps should I be taking before I am selecting a vendor to work with? What would be the type of due diligence, the type of review, that I should do when selecting potential outsourcing companies?

Mark: Make sure that you know who they are hiring and where they are coming from so that you can get verified backgrounds from the NASSCOM skills registry. If you are going out on the ground in India, you need to make at least a couple of visits to each location where you are considering possibly using them. The typical kind of visit as a potential customer will be with the CEO coming down to welcome you at the gate and giving you a tour of the facilities. But I would say that definitely you should also come back unannounced. Ask to see the boss again the next day when they are not expecting you to show up. See if you can still observe all the same security procedures in place in that environment.

Sagi:
Have you been familiar with stories of that type of second unannounced visit that yielded other information?

Mark:
I have certainly shown up at a couple of BPOs myself. There can be a difference definitely between the kind of unannounced visit where you just walk in, and then where you are actually greeted at the gate by the head of the company. At one particular company in Chennai, I just strolled into the campus. There was a security guard who was supposed to be checking for USB keys, cameras, phones, any kind of recording device. But I gave him just one item, which was enough to keep him happy. I gave the guy my laptop computer, but I still had a phone in my pocket and a couple of USB keys. You need to make sure that there is not just a façade of security and that it is actually a reality. The only way you can really do that is just to test them out yourself.

Don't miss Part 2 of this Q&A next month in the Advisor. The entire interview is available for sale on the IAPP's Web site, www.privacyassociation.org.