How to Protect Customer Data When Outsourcing Business Services

 Data privacy and security are paramount in today’s digital world, especially for companies that collect and/or store consumers personal data. However, as inflation drives up the cost to do business across all industries, many organizations may look to outsource some or all of their operations to reduce overhead expenses. For those that choose this route, here’s how to assess whether your business process outsourcing (BPO) vendors are up to the task of protecting your customers’ data. 

Clean House 

Before you can assess a third-party’s ability to protect your customer’s sensitive data, you must be sure your own house is in order. It simply not enough to have written policies & procedures on data privacy/security. Those P&Ps must be enforced through regular audits, corrective action (if necessary) and continuing education on both internal P&Ps and broader regulatory compliance related to data privacy/security. 

Watch Your (Contract) Language 

Whether you are currently outsourcing or simply shopping for vendors, it is critical to closely examine the language contained in the vendor’s contract and/or service level agreement (SLA). This document will serve as the legal underpinning for your relationship, including in the event of a data breach. Therefore, the agreement should spell out exactly how the vendor intend to protect your customers’ data. Key questions to ask include: 

• What mechanisms will the vendor use to transmit and/or process customer data (email, secure Web portals, etc.)? 
• What kind of encryption will the vendor use when transmitting sensitive data back to my organization? 
• What is the vendor’s data storage redundancy plan? 
• What are the vendor’s data security/IT policies and procedures? 
• Does the vendor have its own privacy and/or intellectual property policy, or will they adhere to my organization’s policies? 
• What happens in the event of a natural disaster, cyberattack or other disruption to services? 
• Where is the vendor’s labor force located, and what jurisdictional rules/regulations will apply in regards to data privacy/security? 
• Under the agreement, who owns the data produced as a result of the vendor’s work? 

Look Under the Hood 

In addition to nailing down the data privacy/security language and stipulations in your contract, conducting some form of inspection of the vendor’s premises, especially those areas where the vendor’s employees will be handling your customers’ data. In a traditional vendor management program, these inspections were usually conducted in-person. However, remote inspections have become far more prevalent thanks to advances in technology, and particularly with overseas vendors, a remote or virtual inspection is far more feasible from a cost and time perspective. Regardless of how the inspection is conducted, here are the main areas that must be addressed: 

• What physical security features/protocols is the vendor using to protect its offices and/or data servers? 
• Do employees follow “clean desk” policies? 
• Do employees lock their workstations when stepping away or shutting down for the day? 
• Does the vendor allow visitors on its premises, and if so, what protocols are in place to restrict visitor access to sensitive data/materials? 

Read Between the Lines 

If available, request copies of the vendor’s most recent security audits and review those reports thoroughly. Service organization controls (SOC) reports are the most common types of security-related reporting. However, it is important to understand the purpose of each of the main SOC reports and the distinctions between the Type I and Type II varieties of these reports. Given the nature and expense of SOC reviews, not every vendor will have this report available. However, IT/cybersecurity is a common area of review for both internal audits and regulatory audits, especially in highly regulated industries such as healthcare, financial services and securities, so vendors should have some type of reporting available. 

In short, outsourcing business services can be a cost-effective solution for organizations, but it comes with the responsibility of protecting customers' data. Thus, it is critical to ensure that your vendor is up to the task of safeguarding sensitive information to mitigate the risk of a data breach and protect your customers' privacy and security.