India's outsourcing industry breathes a sigh of relief as the government exempts it from strict new data protection rules (CIO.co.uk)
The data privacy rules, issued in April, require companies or their intermediaries to get written consent from individuals about the use of the sensitive personal information they collect. But it would have been very difficult for Indian outsourcers to operate if they had to get written consent from every foreign citizen whose personal data moves through India's vast collection of call centres and other outsourcing operations. India's Ministry of Communications and Information Technology issued a clarification saying the new rules apply only to Indian companies that collect information from individuals.Given the size of the industry and the sensitivity of the information it handles, it makes sense that the issue of liability for breaches of privacy is a big concern. An Indian outsourcing firm can't operate if it has to get consent from each individual data source. Consent is necessary for the protection of privacy and consent should be obtained at the point where it is most efficient to obtain it — at the point of contact with the individual — i.e. the forms we all sign before receiving services.
Indian firms should know that if they fail to protect the information they work with, they will simply make India the world capital of data theft. The outsourcing industry will not survive with that reputation.
Indian outsourcers have more to fear from their customer firms and global competition than the Indian privacy laws. They should be (and hopefully are) proactively adopting data security measures including logical access control biometrics in order to maintain the competitive advantage they have built over the last 20 years.