Indian BPO firms constrained by lack of data protection laws

While the US backlash is a serious issue, the Indian Business Process Outsourcing sector faces a far tougher challenge. The absence of data protection laws in the country is preventing Indian companies from gaining lucrative contracts in key segments. Till India plugs these loopholes, contracts at the higher end of the value chain might continue to elude Indian BPO firms, says Srikanth R P

While Europe has always been a tough market to crack, thanks to factors like language and culture, the European Union’s tough position on personal data protection has also contributed to lower outsourcing to India as compared to outsourcing from the US. This absence of data protection laws in India is proving an obstacle to Indian BPO firms who seek to move up the value chain, especially in domains such as healthcare.

Prakash Gurbaxani points out that while individual Indian BPO companies may be equipped with certifications, what really matters is whether India as a country is viewed as a business environment where data protection is the norm rather than the exception

Captain Raghu Raman, CEO, Mahindra Special Services Group gives a valid perspective on the controversy surrounding the lack of data protection laws in the country when he says, “Today, the largest portion of BPO work coming to India is low-end call centre and data processing work. If India has to exploit the full potential of the outsourcing opportunity, then we have to move up the value chain. Outsourced work in Intellectual Property Rights (IPR)-intensive areas such as clinical research, engineering design and legal research is the way ahead for Indian BPO companies. The move up the value chain cannot happen without stringent laws.”

Raghuraman cites the example of the healthcare BPO business, which is estimated to be worth close to $45 billion. In the absence of data protection laws, Indian BPO outfits are still stagnating in the lower end of the value chain, doing work like billing, insurance claims processing and of course transcription.

Adds Arjun Saxena, principal, Inductis, “Besides healthcare, some conservative and risk-averse players in the retail financial sector are also affected. Healthcare BPO in the US is almost as large as financial services BPO and the European Union market is around half as large. We estimate the market size that is out of reach for Indian BPO firms to be in the range of $2-2.5 billion, and this can be attributed to a host of factors, including lack of data protection laws. However, it would be safe to say that at least half of this size i.e. $1-1.2 billion, can be conservatively attributed to the data protection issue alone.”

Adds Avinash Vashistha, co-founder and managing partner, NeoIT, “Financial offshoring from banks is limited because of statutory compliance requirements and data privacy laws protecting sensitive financial information in accounts. In the HR domain, there are many restrictions on sharing of personal information. In the medical domain, patient history needs to be protected. In credit card transactions, identity theft could be an issue and needs to be protected. Companies in the banking, financial services and insurance (BFSI) sector and healthcare have excluded applications/processes which use sensitive information from their portfolio for offshoring till they are comfortable about the data protection laws prevalent in the supplier country.”

Ravindra Datar of Gartner has the final word: “In the absence of data protection laws, the kind of work that would be outsourced to India in the future would be limited.”

Gung-ho, no problems!

While the absence of data protection laws in India is a serious deterrent, Indian BPO outfits are trying to deal with the issue by attempting to adhere to major US and European regulations. Most Tier I BPO companies today have certifications that comply with regulations like the Sarbanes Oxley Act, Safe Harbor Act, GLBA for Financial Services, FDCPA (Fair Debt Collection Practices Act), OCC regulations for banking and HIPAA for healthcare. While most laws and certifications are oriented around verticals, there are laws like the UK Data Protection (DPA) Act and the Sarbanes Oxley Act, which are laws for data security across different industries.

But while analysts and even legal firms frequently continue to warn about the lack of data protection laws in India and how this issue is costing Indian BPO firms lucrative contracts, some Indian BPO firms insist that there is no problem. Counters Sunil Gujral, VP, Technologies, Wipro Spectramind, “I do not agree with the so-called hue and cry about the lack of data security for BPO companies. On the contrary, our customers—mostly from Fortune 100 lists—have strict information security expectations and also have strict contractual and legal obligations that we as their partner need to adhere to. These include HIPAA, GLBA, TB82 and DPA98. We have also adopted industry standards like BS 7799 and HIPAA for information security.”

Similar thoughts are echoed by Raju Bhatnagar, COO, ICICI OneSource, “While there is an overall concern about the speed of the legislative system in India, Indian BPO companies have been proactively adhering to strict service level agreements (SLAs) or statutory regulations, as required by clients.” For instance, in the absence of data protection laws, many Indian BPO companies have been proactively writing to certification agencies based in the US or European countries for acquiring certifications.

Adds S Nagarajan, founder and COO, 24/7 Customer, “Every serious customer ensures that vendors are completely compliant with data protection laws and standards. Vendors not complying with these standards are not chosen for outsourcing.”

AVINASH VASHISTHA says that the rules in the revised Indian IT Act will most likely be enforced by a special appellate court established under the provisions of the Act

What matters most

But efforts by individual companies may not count for much if companies rule out India as a BPO destination in the first place. Says Prakash Gurbaxani, CEO, TransWorks, “While individual companies may be equipped with certifications, what matters is whether India is viewed as a business environment where data protection is the norm rather than the exception.”

Adds Arjun Saxena, principal, Inductis, “While most leading Tier I providers have realised the importance of certifications, there is always the odd case of an employee who goes bad and decides to violate company policy and laws for personal gains. This is exacerbated by the fact that most companies have a high attrition rate and have a very young workforce. Though statistics are hard to come by, even Tier I companies have single digit to low double digit situations where disciplinary action needs to be taken against employees every year. For providers below Tier I, compliance is mostly limited to lip service. In our experience, their record on adherence to stated policies tends to be fairly suspect.”

Another interesting fact is that the proportion of MNC subsidiaries that pay specific attention to and adhere to privacy loss/data protection standards or other regulations is higher than that of Indian BPO firms doing the same. Explains Saxena, “Most captive units tend to import a culture of compliance from the parent company, where their middle management/senior management tends to be drawn from functions like Finance and Operations that typically are process- and compliance-oriented. Also, since they have captive volumes, senior leadership can invest time and energy in overseeing compliance, unlike at independent vendors where the focus is on new business development.”

According to Raju Bhatnagar, while there is an overall concern about the speed of the legislative system in India, Indian BPO companies have been proactively adhering to all the strict SLAs or statutory regulations as required by clients

But acquiring certifications in the absence of many certifying agencies in India is a tough task. For example, in the case of insurance, vendors doing any kind of insurance sales work for US clients have regulations at the US state-level. Each of the state-level regulators typically require companies doing business in their jurisdiction to be certified according to regulations applicable in their state. This proves to be a time consuming process. Says Saxena of Inductis, “One vendor we interacted with took over 14 months to get certifications from around 40 US states. As another example, vendors working with financial advisory/brokerage clients require SEC Level VI and VII certification.”

Half-baked response

In the absence of India having comprehensive data protection laws, individual Indian states like Karnataka have taken the lead by announcing comprehensive laws that assure the highest levels of security. Does this mean that in the absence of data protection laws, individual states should take the lead? While a state-level policy is good for ensuring and protecting data protection norms, in the long run analysts believe that companies will not look at states like Karnataka or Maharashtra while choosing between countries like India or the Philippines.

Says Saxena of Inductis, “In the unitary governmental structure that India has, data protection laws, patent protection and privacy related laws should all be in the scope of the Union government. Since client companies come from such an environment, they research federal laws rather than concentrating on state laws. Remember, the first hurdle faced by any offshoring effort is whether to outsource to India or the Philippines. No client in the US or in the UK talks about outsourcing to Karnataka being safe vis-à-vis outsourcing to other Indian states (where such laws do not exist). Individual states would be better off lobbying the Union government. This would be a more fruitful approach than trying to enact laws at the state level.”

Ray of hope

As already mentioned, the Indian government is already working on revising India’s Information Technology Act of 2000. The question of course is, how soon will this happen?

Says Avinash Vashistha of NeoIT, “The rules in the revised act will most likely be enforced by a special appellate court established under India’s Information Technology Act of 2000. India is also planning to set up a ‘Common Criterion Lab’, backed by the Information Security Technical Development Council (ISTDC), where intensive research in cryptography and product security would be undertaken. Increasingly, clients believe India will uphold the highest standards of security (BS 7799, ISO 17799) and sort out issues related to data protection, privacy and IP protection.”

Also, in line with the fast growing Indian economy, the country is witnessing some important changes in IP (Intellectual Property) laws. For instance, an intellectual property appellate board, the first and only one in the country, has been set up for speedy and efficient disposal of IP disputes. Other significant developments can be seen in the amendments to the Patents Act. For example, last year India adopted the second amendment to the Patents Act to simplify patent filing and registration procedures, all in line with international patent norms. Talks are already on for further amendments to the Act, which will accommodate the product patent regime, post-January 1, 2005.

In the absence of data protection laws, the kind of work that would be outsourced to India in the future would be highly limited, says RAVINDRA DATAR

While Indian BPO firms don’t seem to see data protection as a serious issue, the impact would be felt a few years down the line as they bid for contracts at the higher end of the value chain. Says Gurbaxani of TransWorks, “I believe that the impact of this issue will be significant moving forward than it has been in the past, because in the start-up years of the BPO industry the nature and size of the BPO business outsourced rendered this manageable. But as the industry grows and the nature of work becomes more complex (financial accounting and tax preparation) and deal sizes become more significant, the lack of effective data protection and piracy laws can be very significant.” While proactive action by companies and progressive states like Karnataka may help, it is high time that data protection laws at the national level are enacted to ensure the continued high growth of the Indian BPO industry. Saxena of Inductis gives an example of the auto industry where a similar practice of following European regulations has helped Indian auto manufacturers. He explains, “India’s pollution standards (Bharat I and Bharat II) are closely modelled on Euro I and Euro II emission standards. Since India has implemented these, auto exports from Indian manufacturers can easily find European buyers.” If India gets its act together, then the same story can be repeated even in the BPO segment—and possibly, with far better results in terms of revenues and profits.

srikanth@expresscomputeronline.com