Information security: Barrier to BPO growth in Sri Lanka?

Given the current state of the economies in Europe, you would think that as businesses look to reduce costs and improve profitability there would be plenty of opportunities for Sri Lankan businesses offering Business Process Outsourcing to deliver their services.

Unfortunately, it is not quite that straightforward. The European Data Directives, whilst aimed at the processing of personal data, place some challenging obstacles in the path of many businesses outside of the European Union looking to gain entry into that market. To further complicate matters, not every European country will have implemented the directives in the same way although the core principles will be the same.

You could of course be dismissive and say that the services you are offering do not include the processing of personal data; the reality is that most services will include the processing of some personal data.

If we consider the United Kingdom where the European Data Directives are implemented under the Data Protection Act 1998 (DPA), 2010 saw that legislation updated so that a data controller could be fined up to £500,000 if any “personal data” was compromised.

When the processing of personal data is outsourced to a third party, ‘the data processor,’ the data controller remains responsible for the security of that data. Under the existing legislation the data processor cannot be fined if something goes wrong; it will be the data controller. (That looks likely to change in 2013 as more and more data and the processing thereof migrates to the cloud.)

Let’s consider one nightmare scenario: What if something went wrong? An example would be where a data processor (an accountant or lawyer) in the UK outsourced the processing of the data to a business in Sri Lanka and that data was compromised. Neither the accountant nor the Sri Lankan partner is going to be fined but unfortunately all the accountant’s clients will be fined up to £500,000.

The data controllers of the UK businesses could find themselves having uncomfortable conversations with the UK Information Commissioner’s Office and with their accountant; the press coverage could be extremely uncomfortable for Sri Lankan companies too.

The first question asked would be: “Was it necessary from a legal or regulatory perspective that the processing of this data was outsourced to Sri Lanka?” The answer will invariably be no.

The EU directives are quite specific in terms of which countries it is acceptable to outsource the processing to. Whilst the whole of the EU and EEA are considered acceptable there are only nine countries outside of those areas which are considered competent to handle personal data in accordance with the requirements of EU directive(s), namely, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland.

For businesses in Sri Lanka looking to gain a foothold in the UK, or the rest of Europe for that matter, the solution is fairly straightforward – comply with the UK Data Protection Act. You would be forgiven for asking, “If we are already certified to an ISO standard, is not that good enough?” The answer unfortunately is no.

You would also be forgiven for asking, “I see India is not on the list of acceptable countries, but don’t they do lots of BPO for the UK?” The answer is slightly more complicated as the majority of those contracts would have been in place before the changes in the UK legislation came into effect in April 2010.

Today, all UK and European companies should be checking whether their outsourcing partners comply with the Data Protection Act. That means incidentally auditing your security arrangements. The time has come for the BPOs in Sri Lanka to get a data protection assessment through an accredited organisation and take the necessary steps to compliance with the EU Data Directives.

The International Association of Accountants Innovation & Technology Consultants (IAAITC) has been working for two years with the European Network Information Security Agency (ENISA) to create an Information Security Framework (ISF) that ensures businesses comply with the EU directives.

The ISF utilises a risk based methodology and is fully compatible with existing standards like ISO 27001:2005. It is straightforward to quickly deploy. The IAAITC offers an accreditation for both data controllers and processors companies using the ISF. This accreditation will not only give you an edge in your data security credentials but can also be a reason why UK companies can feel safe to commit their data to a professional BPO house.

The story in the USA is similar but different – there you have to get your heads around a totally different set of legislation.

(The writer is the founder and CEO of the International Association of Accountants Innovation & Technology Consultants (IAAITC), a not-for-profit organisation. The IAAITC (www.iaaitc.org) has worked with the European Network and Information Security Agency (ENISA) to create an Information Security Framework (ISF) that ensures businesses comply with the EU Data Directives. He is also a consultant at Metanoia Partners, UK-based telecom, IT and knowledge consulting firm, which has recently become an Assessment and Accreditation Centre for the IAAITC ISF in the UK where it promotes Sri Lankan BPOs. You can reach David via [email protected].)