How to stay protected during the risky business of personal data transfer.

by Bill Frech

In an outsourcing risk assessment the focus of attention is usually on the service provider’s data handling procedures. Mismanaged data jeopardizes multiple parties in an information supply chain of consumers, corporations, and service providers. And when mistakes are publicized, it can rattle shareholders, too.

The stakes are high: Businesses are held accountable for mistakes; data privacy breaches are not soon forgiven or swept under the rug,
especially if a third party is to blame. Reputations, and careers, can be tarnished overnight.

Trusting suppliers is not the primary concern. Outsourcing often requires service providers to access, process, and use personally identifiable data. When problems occur, it’s typically during the transfer of personal data—a potentially dangerous degree of separation. The ultimate countermeasure isn’t technology; the emerging discipline known as privacy risk management is a prerequisite for a successful outsourcing relationship.

Safe Passage
While processing personal data in-house poses a multitude of data privacy challenges, sending business functions to a third-party service provider adds new dimensions of complexity. There’s no passing off the problem. Just because an outsourcer contractually agrees to adhere to data handling best practices doesn’t relieve customers of their legal responsibility to ensure safe passage of the data—at all phases of the process.
Good privacy risk management strikes a balance between data protection and the need for data liquidity between customers and service providers. The risk tolerance of the customer helps drive the selection of service providers, and the investment required in people, processes, and technology required to achieve the desired information security.

Ideally, prior to the commencement of outsourcing, corporate customers should conduct internal privacy audits, document policies, and appoint corporate privacy officers to lead the process. Successful data privacy risk management involves designating or appointing senior management to coordinate the information security program.

Conducting an audit to understand what data is being collected, how it’s used, who manages it, and how it should be shared determines the design of risk-limiting strategies. Successful privacy audits demonstrate a strong command of the privacy risk management principles that should be rolled out to a service provider.

Before inking an outsourcing deal, customers should evaluate the recent experience of prospective service providers, their data privacy policies, and the means in place for client data protection. In the due diligence process it is also wise to understand the external factors that affect service providers, such as, in the case of offshore outsourcing, host country laws and staffing requirements. Sometimes culture may play a role in the sensitivity to privacy protection, and this should be taken into consideration.

To prevent the unauthorized alternation, disclosure, abuse, damage, or other compromise of information, the corporate customer should pinpoint the expected internal and external risks to security, confidentiality, and integrity of information. In part, this necessitates a degree of reliance upon technical and physical controls, including logging, encryption, and access controls such as security safeguards, including the protection against loss, unauthorized access, destruction, modification, or disclosure.

Privacy risk management in the context of outsourcing is about setting limits on third-party data handlers. Limits need to be imposed on the collection of personal data in accordance with the consent of the individual, and data transferred between the customer and service provider should be of utmost quality; i.e., accurate and up-to-date, and most importantly, relevant to the purpose.

Perhaps the most important element of data privacy risk management is the control of a service provider’s ability to work with subcontractors. Many corporate customers opt to contractually prohibit service providers from engaging in subcontracting without their permission.

The problem is, relationships fail from time to time. And even though it’s unlikely if the upfront analysis is thorough, having an exit strategy can be critical when unforeseen circumstances surface and necessitate the termination of the relationship. It takes two to succeed—or fail—and the customer should be open to the service provider’s ideas regarding developments, policies, and practices with respect to safeguarding data. The service provider, on the other hand, must have adequate measures in place and the flexibility to constantly adapt evolving privacy management best practices.

    Bill Frech, partner and managing director of CFO services at TPI, advises that firm’s clients on aspects of their sourcing and provides expertise in evaluating and implementing the optimal sourcing strategy for corporate support areas. He is an accomplished finance & accounting, procurement, and information technology professional and has considerable international expertise in the U.S., Australia, Canada, China, Eastern and Western Europe. He can be reached at bill.frech@tpi.net.