Before entering the facilities of Wipro Spectramind, the business process outsourcing (BPO) unit of Wipro Ltd. in Bangalore,
India, employees are frisked, mobile phone use is prohibited and technology is used to monitor and record data records accessed
through employee computers.
"All our facilities are also fully monitored by electronic surveillance, and we have access controls as well," said Raman
Roy, chairman and managing director of Wipro Spectramind in Delhi.
In an effort to increase information security, Indian BPO companies now conduct thorough background employee checks, often
even looking at school and college records. "We also do a lot of our hiring through referrals by our current employees, which
helps us in getting people whose credentials are easily verified," said Shanmugan Nagarajan, founder and chief operating officer
of 24/7 Customer, a Bangalore-based BPO company. The BPO industry also circulates privately among members a "black list" of
employees who were fired on disciplinary grounds, Nagarajan added.
Intrusive and draconian as these measures may appear, they reflect the determination of Indian BPO companies to prevent data
security and privacy breaches. "If one instance of a data security breach should happen, then it will impact the entire Indian
BPO industry," said Ashish Gupta, country head and chief operating officer of Evalueserve.com Pvt Ltd in Gurgaon near Delhi,
on the sidelines of a BPO conference in Bangalore last week.
U.S. and U.K. worker unions, opposed to outsourcing, have questioned the judiciousness of having personal data processed in
India. The U.K.'s Amicus trade union warned earlier this year that offshore outsourcing is "an accident waiting to happen."
To allay such concerns, Indian BPO companies have stepped up security measures, and in the process have impressed some customers.
"We have been very pleased with Wipro's performance and attention to security and privacy," said Chris Larsen, chief executive
officer (CEO) of E-Loan Inc., a consumer direct lender in Pleasanton, California, which outsources back-office underwriting
functions for its home equity applications to Wipro Spectramind.
Companies outsourcing to India, however, also have to put in work at their end to ensure data security and privacy, Larsen
notes. "In making the decision to outsource some of our back office home equity processing to India, we vetted potential partners
very carefully," said Larsen. "We chose Wipro, based on their strong reputation and experience in the industry, and perhaps
most importantly, based on the fact that they have their own employees working directly on behalf of E-Loan. Some offshore
outsourcers subcontract other outsourcers to do the work on their behalf, which makes it difficult to know and control who
has access to customer information."
Both to meet regulations in their own countries and also to protect data, companies outsourcing to India keep their data in
servers outside of India. "For example, all customer data resides and is stored in E-Loan's domestic databases," Larsen says.
"Our partner only has the ability to view that data, and they do not have the ability to store, share, print or retain data
in their computers or systems in India."
Norwich Union, a Norwich, U.K.-based insurance group that outsources call center and back-office processes to about five companies
in India, also does not transfer data to its Indian contractors. "We have a 'no data in India' rule, and the information is
only available in India while the transaction is being processed," said John Hodgson, offshore program director at Norwich
Union. Hodgson added that the his company incorporated provisions of the U.K.'s Data Protection Act and the European Union's
(E.U.'s) Data Protection Directive into contracts with its Indian suppliers.
Although the data may reside on the client's servers rather than in India, staff in Indian BPO companies have access to that
data. To that extent it is very important that the data is protected at the India end as well, said Vikram Talwar, CEO of
Exlservice Inc., a BPO company with its front-end marketing in New York and operations in Noida, near Delhi.
"There are technologies that protect the flow of data, and it is no less secure to send data electronically to India than
say within the U.K. or the U.S.," Talwar said. "I think the bigger focus has to be on the physical security and people-related
security issues."
India's BPO industry posted revenues of US$3.6 billion in the year to March 31, and employs about 245,500 staff. Because of
increased competition for employees, attrition rates are high, with attrition at call centers the highest. "As the industry
scales in size, and staff attrition goes up, the issues of management of data and protecting privacy become all the tougher,"
said Muralidharan Ramachandran, chief security officer of TransWorks Information Services Ltd., a Mumbai-based BPO company.
Compliance with information security standards such as the ISO17799 and the BS7799 standard for information security management
of the London-based British Standards Institution are now essential for BPO companies, according to Exlservice'sTalwar.
Even as Indian BPO companies boost facility security, the absence of stringent federal data protection laws is a major drawback.
"As India becomes a bigger base for BPO, specially for financial transactions like credit card and insurance transactions,
it becomes important for us to have a law that fully protects the privacy of individuals and the data about them," said Nandan
Nilekani, chief executive officer of Infosys Technologies Ltd, a software services and BPO company in Bangalore.
The government is expected to introduce this year amendments to the Information Technology Act of 2000 that will fill these
gaps and strengthen data protection and privacy rules, according to Mehta. After adding the amendments, the Indian government
will approach the E.U. and request an agreement similar to the Safe Harbor agreement between the U.S. and the E.U., Mehta
said. The Safe Harbor agreement allows data transfers from the E.U. to the U.S.
To further reassure customers, Indian BPO companies are implementing disaster recovery and business continuity management
plans. In most cases, these plans include setting up facilities outside India, besides having facilities at multiple locations
within the country. Wipro Spectramind, for example, is planning a disaster recovery facility in the Philippines, in addition
to its six Indian disaster recovery facilities.
While some customers rely on their supplier to implement a disaster recovery plan, others have their own disaster recovery
and business continuity plans, according to Wipro Spectramind's Roy.
Norwich Union, for example, outsources to various companies in multiple locations within India. "In the event of a failure,
companies we outsource to in the U.K. will only get busier," said Hodgson, who added that the work done at the Indian operation
is mainly an extension of work already being done in the U.K.
Despite the security measures adopted by Indian outsourcers, many foreign multinational companies have opted to establish
their own BPO subsidiaries in India.
Norwich Union has a Build, Operate and Transfer model with its suppliers. "We decided on this model because we didn't think
any of the companies in India were at the level of maturity that we could simply outsource the work, with no ability to control
any subsequent events," said Hodgson. The idea is that in one to three years, Norwich Union will have its own managers on
the ground in India, he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
