May 13, 2011, 12:00 PM — The Indian government has finally taken a step toward creating a comprehensive set of data protection rules to safeguard privacy, but the proposed regulations released this spring are likely to have a major impact on the global enterprises doing business with Indian outsourcers.
The draft regulations, which deal with the protection of personal information, are more stringent than either the Gramm-Leach-Bliley Act in the U.S. or the EU Directive in Europe and would create new requirements for companies that outsource to service providers in India or maintain their own operations there, say Miriam H. Wugmeister, partner in the law firm Morrison Foerster and Cynthia J. Rich, senior international policy analyst with the firm.
"Given all the personally identifying information, confidential information, and sensitive data collected by organizations, both purely online and in the course of doing business, it was about time that the Indian government took action to update its policy," says Tony Filippone, research vice president with outsourcing analyst firm HfS Research. He notes that India's privacy legislation has remained largely unchanged for more than 100 years.
The entire offshore outsourcing industry has been slow to protect personal data, says David Rutchik, partner in outsourcing consultancy Pace Harmon. Offshore outsourcing companies' lack of urgency around data protection has created a lot of uncertainty for outsourcing customers. (For more on China's draft data privacy regulations, read IT Outsourcing in China: What CIOs Need to Know About New Data Privacy Guidelines.)
The new rules are intended to showcase a new commitment by India to rigorously protect data, but they could dampen offshore outsourcing business. Most notably, prior written consent will be required-without exception-to collect and use sensitive data about Indian citizens and about any person who's personal information is collected within the country.
The specifics and timing of implementation and enforcement have not been clarified-and may not be for some time, "which puts every outsourcing client in limbo in the interim period," Filippone says. Companies with operations or data in India should take the following seven steps to prepare for possible implications.
1. Review current data protection policies and procedures. What data is being captured and stored in India? What opt-in or opt-out policies are in place? Document all existing internal rules.