Many outsourcing, offshoring or business process outsourcing arrangements involve the processing of large volumes of personal data about a company's customers or employees, such as financial information, medical information, payroll and benefits information, social security numbers and purchasing histories. Beyond saving money, companies must think about the protection of personal data and other valuable assets that are transferred or made available to the outsourcing vendor.
Numerous countries that receive the lion share of outsourcing business, while aware of their market’s privacy and security concerns, do not have adequate data privacy and security protection laws and structures that provide a data protection regime consistent with that of their clients. Even though they may have laws that punish certain forms of corporate crimes, data protection lags far behind. Further, even when there are laws, they may not be adequately enforced. Many countries’ legal systems are notoriously slow or corrupt, and enforcement authorities are overwhelmed.
The success of an outsourcing project depends in great parts on the work done in preparation for the contracts and the manner in which the companies’ interaction is organized. It is crucial to:
- Conduct adequate due diligence before entering into a contract;
- Build frequent audit and reporting structures during the performance of the contract;
- Supplement the contract with specific policies and procedures;
- Ensure the constant interaction of the parties to the contract.
We are experienced in the wide range of issues involved in outsourcing, from structuring and negotiating contracts, to advising on risk management and compliance issues, to implementing adequate data privacy and security safeguards. We have handled all aspects of outsourcing, ITO, BPO, and similar service agreements, representing vendors or users in high stakes billion dollar transactions or simpler ones, in markets such as financial services, benefits and HR services.
For example, we can:
- Help the company understand the impact of the laws of the country from which the data originate and those of the country where the data will be processed;
- Assist in performing due diligence about the vendor and the receiving countries’ legal systems;
- Counsel on privacy, data protection and security risk management issues;
- Create proper safeguards around the use of the infrastructures;
- Structure and draft service-level agreements, data use agreements, data transfer agreements;
- Ensure that appropriate measures are built in the contracts in order to provide data privacy and security, confidentiality, limits on data use, audit rights, insurance and remedies;
- Draft specific safeguards in order to provide sufficient detail on the security expectations;
- Clarify the numerous aspects of the services to be performed, and their effect on the protection of personal data;
- Provide for ongoing vendor monitoring and management;
- Develop a formal plan for responding to security incidents, such as misappropriation of personal data;
- Structure procedures to safeguard the company's databases and IP assets upon termination of the relationship;
- Arrange for regular audits of processes and facilities;
- Advise on appropriate deal structures;
- Draft and negotiate the definite agreements and related schedules.