2. Create a response team. Identify who would be involved with defining and implementing a response to India's privacy act once the details are clarified, says Stan Lepeak, director of research in KPMG's shared services and outsourcing advisory group. Team members might include CIO, legal counsel, outsourcing governance teams, and external consultants.
3. Take a closer look at customer-facing activities in India. Processes like order entry, customer service, collections, and outbound sales will be hardest hit if the new privacy law is enacted. "[Companies] will need to secure prior written consent from customers prior to collecting personal data over the phone, and even then, sensitive personal data won't be permitted to be shared unless it is deemed necessary," says Rutchik. "These types of issues may significantly impede an enterprise's ability to properly and efficiently interact with its customer base."
4. Consider the impact on IT's internal customers. Little notification is given to employees regarding collection and use of their personal data, even though systems supporting human resources, payroll, and help desk operations all contain sensitive personal data that could fall under the new privacy regulations. "I doubt every organization makes notifications to employees or writes privacy policies to include employee data so some back office operations are likely exposed to risk under this law," says Filippone.
5. Get on the same page with providers. Review all data protection policies and procedures in your offshore outsourcing contracts. "Obtain the service provider's interpretation of the act and have the providers explain how they plan to respond to the act's requirements," says Lepeak.
6. Prepare for increased standardization."With these new regulations in place, offshore providers will likely become more rigid in how they operate and more reluctant to tailor their processes to meet customer needs," says Rutchik. "These restrictions could, in fact, make offshore providers less attractive as a result."
7. Protect yourself. IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law, say Wugmeister and Rich. "The new regulations may begin showing up in offshore outsourcing contracts as enterprises will want to be indemnified from specific actions by offshore providers," Rutchik says.
Read more about outsourcing in CIO's Outsourcing Drilldown.