End users must specify their data security and data protection requirements right at the start of outsourcing deals, IT trade association Intellect has warned.
In a stark warning to businesses that are outsourcing IT work, Intellect said companies must take steps with their outsourcers to ensure data is secure, or they could end up having a breach that leads to regulatory action and a loss in customer confidence.
In a report published today, called ‘Intellect data security and data protection guidelines for offshoring and outsourcing’, it said regulators are becoming “ever-more aggressive” in penalising companies that fail to comply with data protection requirements. Rather than risking data breach fines, companies would be wiser to spend the money improving data security processes, Intellect said.
Speaking at the launch of the report, Bridget Treacy, solicitor at Hunton & Williams, said: “Often people don’t know where to start with data protection, or how to start. But if customers don’t think about data protection early enough it can become very costly.”
“Security and data protection tend to be afterthoughts. They need to be decisions that are taken at the start,” added Bill Pepper, director of security risk management at outsourcer CSC. “In IT outsourcing we’re all very good at defining how the technology will work, but not necessarily the processes.”
David Evans, manager at the Information Commissioner’s Office, said it was “in everybody’s interests to get things right from the start”. He added: “There need to be clear rules about who can access information and how they use it, all along the chain, for the outsourcers and not just the end users.”
Intellect said it was important for customers to take seven steps around data security when outsourcing, beginning by analysing the type of service and scope, indicating any existing data issues and specifying data protection requirements.
Then, they should write confidentiality agreements, identify detailed security requirements and undertake a data security and data protection audit of prospective vendors.
Specifying data security and protection obligations, translating into legally binding obligations, was the next step. Then, Intellect said, there should be legal remedies written in case of any breach.
Next, clients need to plan and execute transition security, and bring about the necessary data transfers.
Businesses then need to monitor compliance and manage changes and incidents, including the conduct of impact assessments.
Determining how data security is impacted by termination, transfer or step-in, is the next important step. Businesses also need to satisfy data protection requirements for transfers of data to third parties, notifying regulators as necessary, as well as dealing with overwriting and destruction of retained data.
Finally, they must determine how data security is impacted by exiting the contract, again satisfying regulatory obligations.