Data privacy and security remains one of the biggest challenges for the Indian IT-BPO industry, particularly since the majority of the sector’s revenues come from outsourcing and offshoring. Every time there has been an instance of a security breach, or the data of a customer has been compromised, a major cloud has fallen over India’s credentials as a trusted sourcing destination. Going forward then, data privacy and security will continue to demand attention. Besides strengthening the regulatory environment in India through even more stringent IP protection and cyber laws, the government will also have to go after the offenders and ensure that crime is met with punishment. IT-BPO companies also need to tighten their internal security and make sure customer data is protected from malicious intrusion. Since data security and privacy is becoming key to mitigating the risks associated with outsourcing and offshoring, all the stakeholders in the ecosystem will have to work together to make the Indian IT-BPO industry secure and India secure.

Q1 Are there still gaps in India’s security and privacy laws? What can the government do to ensure that in terms of regulations, our security and privacy environment is robust?
Q2 How can companies de-risk their client engagements and ensure that they remain the preferred choice for global sourcing?

1. The IT (Amendment) Act 2008 has ushered in a strong data protection regime. All body corporates, processing sensitive personal information, are mandated to implement ‘reasonable security practices’ to prevent unauthorised access to consumers’ personal information. The rules should clearly define reasonable security and personal information.
2. Companies should implement the DSCI Security Framework and DSCI Privacy Framework to secure their operations even as they seek the ISO-27001 certification. Best practices, global standards, newly-emerged security disciplines and tactical guidelines, that are an integral part of these frameworks, will help them achieve data protection and regulatory compliance.

Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)

1. We need to bring the IT Act as much as possible in line with US and European Acts. At the same time, there is a great need to reform the judicial system to enable it to provide speedy justice for security and privacy violations.
2. To do so, they must create dedicated, segregated and secure ODCs for clients. Companies also need to keep all sensitive data in access-controlled secure data centres onshore. Finally, of course, comprehensive security audits, including background checks are required for all new hires.

Subinder Khurana, Vice President, Cognizant

Download this Section