Data Protection is emerging as a major corporate and Government concern worldwide. The focus is on secure handling of data so as to ensure privacy of customer data and that of corporate data. Different countries have enacted laws to deal with Data Protection and Data Privacy. While the European Union views privacy of personal information as a fundamental right, the United States has sector specific laws on privacy of customer data. These include laws for protecting health information, financial information. Processing of personal information of citizens of these countries by IT and BPO companies in India and in other countries through outsourcing raises concerns about regulatory compliance. In view of the multiplicity of privacy legislations worldwide, the service providers (IT and BPO companies) in India are faced with a major challenge of demonstrating compliance with laws of countries where the data originates. The industry led by NASSCOM decided to take the route of self regulation – it established Data Security Council of India (DSCI) as a self-regulatory organization (SRO).  DSCI has an independent Board of Directors, guided by a Steering Committee with members drawn from leading IT and BPO companies, and from the best IT products companies of the world. The Steering Committee has set up Working Groups to focus in specific areas for creating awareness and outreach.

DSCI is a section 25 not-for-profit company that is developing best practices for Data Security and Data Privacy under its SRO Framework. IT and BPO companies as service providers are encouraged to adopt the best practices, which include zero tolerance to security and privacy breaches, for India to be a continued preferred destination for outsourcing. DSCI has to enhance the perception about trustworthiness of Indian Service Providers as conforming to the security and Privacy practices as per international standards.  For this purpose, DSCI is engaged in creating security and privacy awareness among the service providers. DSCI’s mission is to foster trustworthiness of Indian companies as global countries service providers and send out the message worldwide that India is a secure destination for outsourcing where privacy of customer data are enshrined in the best practices followed by the industry. This can be achieved by increasing awareness of the end-user on information security and privacy protection. Through the Cyber Security Awareness Initiatives, DSCI reaches out to broad audience that includes academia, schools, colleges, law enforcement agencies, Judiciary, Banks and Financial Institutions, Insurance companies, Telecom operators, to provide awareness and training. DSCI has launched the 4E Initiative for ensuring that India remains a trusted destination for outsourcing which includes the following:

• Engagement
• Education
• Enactment
• Enforcement

DSCI engages with all the stakeholders which include IT, BPO service providers, their clients worldwide, data protection authorities in different countries, and Self Regulatory Organizations in the US, European Union countries and data standard organizations in sectors such as Banking and Finance. It conducts data protection awareness programs as part of its outreach and education activities.  It also engages with the government and other data protection authorities on such practices. DSCI is also evolving ways of enforcing these practices among the service providers.

DSCI is aware of the challenges it faces as one of the pioneering initiatives in the world to be a Self Regulation Organization for promoting data security and data privacy.  As an independent SRO it is engaging with service providers in India to encourage them to have self checks in the first phase, followed by compliance checks by accredited auditors of DSCI for certification. This will be seal of trust that they conform to best security and privacy practices. In the event of a dispute between a client and its service provider, DSCI will help with Dispute Resolution through Mediation, Conciliation or any other alternate dispute resolution mechanisms.

DSCI takes advantage of the widespread agreement around data protection and data security principles – Privacy Principles: OECD, EU, US Safe Harbor, APEC; Security: ISO 27001, CobIT, COSO, ISF, NIST – to create its best practices. It does not create any new standards. These practices will go a long way in enhancing trust of service providers by their clients worldwide.  DSCI certification is expected to result in fewer audits by customers thereby reducing costs and increase efficiencies for clients as well as for IT and BPO companies.

DSCI believes that its SRO Framework can support the data accountability principle in cross-border data flows, namely that the business data and personal data collected in originating country will continue to be subjected to compliance of data privacy laws of the originating country.  Service providers in India through appropriate contracts on best security practices will ensure data privacy as per client’s requirements.

DSCI also takes recourse to the Information Technology (Amendment) Act, 2008 that provides for strong Data Protection Regime with special reference to enforcement of contracts entered into by clients abroad with Information Technology (IT) and IT Enabled Services (ITES), Business Process Outsourcing (BPO).  The Act also provides for reasonable security practices to be observed by body corporate which handle and process personal data including sensitive personal data.  DSCI has a role to play in determining reasonable security practices in specific industries, and in specific cases.