KPMG DSCI Data Security Privacy Survey 2010

State of Data Secutiry and Privacy in the Indian BPO Industry
Message from CERT-In
Businesses continue to drive IT operations, which in turn try to sustain existing

systems, often at the cost of security. Customers, on the other hand, are
demanding more security as their worries about cyber crimes, privacy and
identity theft grow. In the networked world, business partners, suppliers, and
vendors also demand assurance of essential and adequate security when they
inter-operate to share information and business data for faster and cost-effective
transactions. At the same time, regulatory and law-enforcement agencies require
proof of compliance with a plethora of security regulations. Under these
circumstances, there is no better way of understanding security preparedness of
companies than through a survey.
It gives me great pleasure to see the results of the survey of BPO companies,
conducted by DSCI through KPMG in India with the active support of DIT. I’m
sure, this survey will help the industry understand the areas that need focus in
order to improve its practices, and present to its clients the best practices
approach for trusted business partnership.
Dr. Gulshan Rai

DG, CERT-In
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Message from DSCI
This is the third DSCI-KPMG Security Survey, conducted in association with

CERT-In. While designing the questionnaire for this survey, we decided that rather
than conducting a general security survey, we would focus on BPO and Banking
domains. Specific questionnaires were, therefore, drawn up to address the
concerns of these domains.
We present the results of the BPO industry in this report. The depth of questions
may perhaps lead one to conclude that the survey is an attempt at assessment
rather than merely a high-level information capture. At DSCI, we felt that this was
important with a view to understand the data protection trends, underlying issues
and concerns that may be unique and specific to the BPO industry. The focus, in
general is on positioning of security and privacy in organizations; maturity and
characteristics of key security disciplines such as Threat & Vulnerability
Management, Incident Management, among others. Such in-depth questionnaire
was expected to bring out the BPO responses to the rising data breaches
globally.
I am pleased to state that the in-depth approach has resulted in findings that are
more promising. For the BPO industry, while the survey suggests that employee
awareness of data protection continues to be a challenge, the managements are
alive to privacy requirements of clients since many BPOs have established a
privacy team that is distinct from security. Security organization itself is maturing
with CISOs being involved in strategic tasks. An interesting result is the
awareness among BPOs that they may be liable for breaches arising from
vulnerabilities in clients’ environment unless they are vigilant enough to negotiate
a suitable contract. Among the areas that need attention of management, the
following are worth mentioning: employee security awareness should be
increased, need for compliance with amended IT Act should be understood, and
Lines of Business should be involved in data security initiatives.
Dr. Kamlesh Bajaj

CEO, DSCI
Message from KPMG in India
The BPO industry in India has always been under significant influence of data
protection regulations. In its initial years of growth phase, corporations have gone
through fairly intense scrutiny of customer audits, which sometimes have been
considered to be crossing the boundary of reasonable controls expectations. In
any case, most CISOs have privately admitted that those audits helped them
learn the tricks of the trade and made them better every time they underwent
such an audit.
The industry has also been conscious that managing adequate level of
information protection is essential for the survival. There have been instances of
penalties being charged for non-compliance to information security safeguards. In
a few extreme cases, clients have renegotiated contracts with their service
providers at lower rates just because the security controls have been found to be
weak. Some experts believe that information security issues can easily become
non-tariff barriers, if the industry as a whole does not embrace appropriate risk
mitigation measures. Given this context and the current global economic
scenario, it couldn’t have been a better time for the industry to demonstrate that
it has the right strategies in place to manage and mitigate the risks of information
security breaches.
The survey validates that the industry understands these implications very well
and have put in place the baseline measures to manage the risk. The survey is
aimed at identifying protection measures of information security in general and
those specific for personally identifiable information (privacy). While the industry
participants have developed frameworks for addressing the information security
concerns, the aspects relating to privacy haven’t matured as much. The survey
highlights current state of the industry and attempts to identify future direction
for a holistic information protection program.
It is argued that surveys conducted through the owners of process many a times
produce more optimistic results and portray the realities better than what it really
is. However, the purpose of the survey being more directional than quantitative
assessment, it serves the purpose of identifying trends and priorities of the
industry. This survey should act as a useful guide for senior executives of BPO
companies in formulating their future positions and will be a good tool for many
CISOs in developing business cases for comprehensive information security
programs. We hope that the companies, which use the services of Indian BPO
industry will also benefit from this survey as it will help them reposition their
compliance monitoring efforts in right direction.
Akhilesh Tuteja
Executive Director, KPMG in India
Contents
Introduction 02
Data Security and Privacy 08
Information Security Governance 16
Extended Boundaries 24
Regulations 30
Internal Processes 36
Way Forward 47
Introduction
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 02
State of Data Secutiry and Privacy in the Indian BPO Industry 00
Highlights
The survey provides insights into the data security and privacy
environment of Indian BPO industry. There is evidence that validates
general perceptions about security and privacy practices and then
there are some outliers that do not align to the seemingly obvious.
Some of the findings of the survey are as follows:

?The industry treats data security more as a hygiene factor, rather than a
point of differentiation to gain competitive advantage
?Customer requirements remain primary drivers for data security to most

of the organizations
?Almost 50 percent of the organizations are negotiating contracts to ensure

that any liability arising from vulnerabilities in the client’s environment is
borne by the client
th
?More than 3/4 of the organizations face challenges due to a lack of
awareness amongst employees on liabilities arising from data breaches
?CISOs of majority of the organizations are spending significant time on

strategic initiatives; for example, identifying security implications of new
business initiatives
?Only 44 percent of the respondents are mandating vendors / third parties

to report new threats and vulnerabilities in their products / services
?There seems to be lack of clarity amongst organizations regarding their

liability under ITAA 2008
?More than 75 percent of the organizations involve process owners and

lines of business in data security initiatives.
03 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7
billion in just a decade and is expected to witness robust growth in years to
come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at
USD 60 billion is expected to reach USD 225 billion. During the same period, the
growth in ‘domestic BPO’ revenue is expected to expand seven- folds to reach
USD 15 to USD 17 billion, while ‘export revenue’ is expected to reach USD 50
billion. To sustain this phenomenal growth, the Indian BPO industry needs to
overcome one of the major challenges facing the industry today – addressing
Data Security and Privacy concerns of their stakeholders.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian BPO industry and to gain insights
into how the Indian BPO industry is addressing clients concerns.
As part of this initiative, 50 organizations were surveyed with the following

objectives:
?Positioning of data security and privacy in the BPO organizations -

analyzing CISOs’ role and the tasks performed by the security organization
?Maturity and characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’ and ‘Incident Management’ in the wake of
rising data breaches globally
?Level of perceived risks in different Lines of Service (e.g. Customer
Interaction and Support, Payroll, Finance & Accounting, etc.)
?Managing risks arising from clients’ environments
?Mechanisms adopted for conducting employee background screening
?Strategic options adopted for Business Continuity and Disaster Recovery

management
?Impact of IT (Amendment) Act, 2008 on the industry
?Evolution of Physical Security and its integration with data security
In order to ensure that the survey results represent the Indian BPO industry at
large, we interviewed CISOs and their equivalents in organizations across BPO
industry segments and sizes.
The survey results highlight trends and insights into the state of data security and
privacy in the Indian BPO industry – many ‘generally known’ practices are
validated, yet certain unexpected insights are revealed.
Data security and privacy
The maturity of the Indian BPO industry with respect to data security and privacy,
is reflected in the fact that most organizations treat security more as a hygiene
factor rather than a point of differentiation to gain competitive advantage. End
customers in client geographies are concerned about their personal data in the
trans-border data flow. Indian BPO industry realizes this and is equally concerned
about any bad publicity in media, which may result from a data breach. Even the
clients have made a note of such concerns and demand BPO organizations to
undertake privacy initiative and have exclusive mention of data privacy clause in
their contracts. The first section of the report – ‘Data Security & Privacy’ – reveals
these and other such trends in detail.
Information security governance
The information security function in general has been formalized with most
organizations having a designated CISO. However, no standardization with
respect to reporting alignment exists as it varies significantly within the
responding organizations. CISOs are also moving away from security related
operational tasks and are becoming more involved in strategic activities. The
survey reveals that industry needs to increase involvement of business managers
for understanding security requirement of the business.
Extended boundaries
As the industry has been expanding across geographies to serve global clients,
they continue to face a challenge in meeting multiple regulatory or client
requirements. These organizations being well aware of the liabilities arising from
any data breach have been re-negotiating contracts with clients to ensure that any
liability arising from vulnerabilities in the client’s environment is borne by the
client. Similar focus needs to be given to third party service providers since they
have access to client/organization confidential information.
Regulations
Industry’s focus on global clients is all the more evident from the fact that its data
security and privacy related technological investments are driven by global
regulatory requirements. However, with introduction of Information Technology
(Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the
liabilities arising from it and have also started revising their security policy to
incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is
a risk of underestimating the liabilities arising from non-compliance to regulatory
obligations.
Internal processes
There are clear indicators that internal processes have been designed to meet the
best practices. However, the implementation and continuous testing/ monitoring
varies across the organizations.
The findings indicate the level of maturity the industry has achieved when it
comes to processes such as threat & vulnerability management, employee
screening, security incident management, BCP/DRP and physical security
controls.
Data Security
and Privacy
Key findings
?Client/contractual requirements and

global data protection regime are the
key drivers for data security practices
in BPO industry
?Organizations perceive that key

threats for data security are internal
in nature
?Respondents are conscious of their

brand image and therefore adopting
data privacy initiatives to prevent any
data breach incident, which may lead
to bad publicity in media
?Organizations focus on data privacy

to address rising concerns of clients’
end customers’ vis-à-vis their
personal data in the trans-border
data flow
?Majority of organizations do not have

dedicated or separate privacy team;
instead, they use data security team
to drive and support privacy
initiatives.
Finding its place
Survey reveals that to address end customers’ concern vis-à-vis their

personal data in trans-border data flow, clients are becoming stringent with
respect to ‘Data Security’ & ‘Data Privacy’, which is driving organizations
security and privacy initiatives.
Drivers (Data security) (% respondents)
Source: DSCI-KPMG Survey 2010
Drivers for data security
Majority of respondents consider security as a hygiene factor rather than a

competitive advantage. Seventy percent of organizations perceive that key
threats for data security are internal in nature. Though internal and external
threats are one of the drivers for security, client/contractual requirements, global
data protection regime and associated liabilities remain the primary drivers for
data security in the industry. At the same time, ITAA 2008 is also becoming an
important driver for data security for organizations.
Clients continue to drive the information security requirements. They

have helped corporations mature their information security programs
through periodic audit and monitoring.
Security Team Size Security function positioning (% respondents)

(% respondents)
100 94
90
80
10%
70
16%
60
50
10 16 40
37%
30
37
20
37% 10 8
10 8 6
37 2
0
Central For each For each Line For each Each / major Coordinator
Security Geographical of Service Vertical client for each
Less than 5 6-10 11-20 More than 20 Function location relationship relationship

Security function
Respondents believe that organizations place due importance to security function

internally. This is also coupled with the fact that almost 2/3rd of the organizations
have more than five member security team. Most organizations have a central
security function, responsible for data security & privacy, enabling them to ensure
uniformity of controls across organization.
Security is still a centralized function as revealed by the survey. However,

geographical expansion of operations, rising revenue in the Lines of Services and
business growth in client relationships seem to be driving the structure of the
security organization towards localized/decentralized security function.
Maturity of security practices (% respondents)
Focus on ISO 27001 82
Continuous Vigilance on evolving issues 78
Keeping top management aware of the risks

74
& liabilities
Constant review of the environment 70
Providing architectural treatment to security

60
solutions
Use enterprise portal to manage security

58
requirements
Collaborate with external sources & internal

58
functions
Proactively adopt techniques such as threat

48
modeling, threat tree etc
Focus to innovation in the security initiatives 44
Maturity of security practices
Organizations are following standardized processes by taking major strength from

well known standards such as ISO 27001. At the same time, a majority of
organizations keep continuous vigilance on evolving security issues &
vulnerabilities along with constant review of the environment to assess its
security posture. With the current baseline, organizations are adopting forward
looking initiatives such as:
• Providing architectural treatment to security solutions
• Usage of enterprise portal to manage security
• Adopting techniques such as threat modeling, threat tree, etc.
• Focusing on innovation in security initiatives.
Drivers for data privacy
Data privacy, as with data security, is primarily driven by client/contractual

requirements and global regulations. However, there are other factors driving data
privacy as well. Organizations are conscious of the fact that a small incident of
data breach, can impact their brand image to a large extent. This also gets
reflected by the fact that 73 percent of the organizations consider bad publicity in
media in case of data breach as a critical driver for their data privacy initiatives.
This becomes all the more important when most of the organizations are trying
to address the concerns of end customers’ vis-à-vis their personal data in trans-
border data flow. Clients’ concern are highlighted by the fact that 50 percent of
the respondents mentioned that their clients demand them to undertake privacy
initiatives and exclusively mention data privacy clauses in contracts. Though the
prime focus remains on end customer’s data, 48 percent of the organizations
have started to focus on protecting the privacy of their employee’s data.
Drivers (Data privacy) (% respondents)
73 24 2 Reputational damage
End customer concerns over trans-border

73 21 6
data flow
65 31 4 Global data protection regulations
56 35 8 Data privacy clauses in client contracts
50 46 4 Client’s privacy program
48 46 6 Protecting privacy of employee data
Data Protection Authorities (Client

33 33 33
geographies)
0% 20% 40% 60% 80% 100%
Critical Important Less Important
Privacy function
While primary drivers for data security and data privacy are the same, the controls and
capabilities required for ensuring them are quite different. Realizing this, organizations are
moving towards deploying dedicated personnel for privacy. This is evident from the fact that
41 percent of the organizations have a dedicated privacy function with a team strength of
more than two members.
Dedicated privacy function Privacy team size (% respondents)

(% respondents)
Yes, 40% No, 60%

43%
Less than 2
16%
2-5
More than 5
11% Not Applicable
30%
Maturity of privacy practices (% respondents)
Understanding exists of different roles and entities for data protection 64
Understanding exists about Privacy Principles and their applicability 62
Dedicated policy initiative for privacy 62
Processes are reviewed regularly from privacy perspective 60
Specific technology, solutions and processes are deployed for privacy 54
Scope of audit charter is extended to include privacy 52
Privacy impact Assessment is performed for new initiatives 40
Privacy has just appeared on the organization’s agenda 16
Privacy is seriously lacking as compared to security 8
Privacy gets treated as a sub-set of information security program,

which may lead to under-estimation of legal implication.
Maturity of privacy practices
The survey reveals that more than 60% of the organizations:
• understand different roles & entities that exist for data protection,
• understand Privacy Principles & their applicability,
• have dedicated privacy policy initiative, and
• regularly review their processes from privacy perspective.
However, not all of these organizations have extended the scope of audit charter to
include privacy and nor do they perform privacy impact assessment whenever new
initiatives are undertaken. Organizations can achieve a much better state of privacy, if
they take a step towards establishing a privacy function with required empowerment.
Information
security governance
Key findings
?CISOs of majority of the

organizations are spending
significant time on strategic
initiatives; for example, evaluating
and mitigating security implications
of new business initiatives.
?Organizations are seeking external

assistance largely in security gap
assessment and application security
testing
?Organizations are maturing to

understand and distinguish security
related operational tasks from
strategic security tasks
?Many organizations still do not

involve business manager in
understanding security
requirements.
Doing a reality check
The survey results indicate that organizations have come to realize the
significance of CISO and his/her role. CISOs have started to get involved in
strategic tasks, moving away from operational activities.
CISOs’ reporting line
The survey reveals that organizations have not come to consensus on ‘whom should
the CISO report to?’ This is evident from the fact that there is no standardization on
reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting in
a lack of focus and accountability. The survey also revealed that 30 percent of
organization’s CISOs are reporting to CIO/CTO, highlighting the concerns with respect
to independence of security function.
CISO reports to (% respondents)
Chief Executive Officer (CEO) 30
Chief Operating Officer (COO) 18
Chief Information Officer (CIO) 16
Chief Risk Officer (CRO) 16
Chief Technology Officer (CTO) 14
Head Quality Assurance 4
Audit Committee 2
Others 8
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending
significant amount of their time on activities like:
Overseeing security policy enforcement

?
Participating in business strategy meetings

?
Interacting with support functions for enforcing measures

?
Planning for remedial measures

?
Issuing guidelines to enterprise units

?
Overseeing security projects

?
Checking for new issues, threats & vulnerabilities

?
Convening meetings of security forums.

?
This clearly indicates that CISOs are spending significant amount of time on strategic
tasks instead of operational tasks. However, standardization in CISOs role is lacking.
This is evident from the survey results - 29 percent of CISOs spend significant amount
of time on reviewing & approving change requests; at the same time 22 percent
CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent
CISOs spend significant amount of time on ‘reviewing state of security in service
delivery channels’ & ‘reviewing security reports’. However, nearly 15 percent believe
they are not responsible for reviewing these tasks.
Organizations need to refine CISO’s role, ensuring minimal involvement in operational

tasks such as review reports of security scans.
CISO spends time on (% respondents)
Overseeing security policy enforcement 90 6 4
Participating in business strategy meetings 84 12 4
Interacting with support functions for enforcing measures 80 12 8
Planning for remedial measures 71 16 12
Issuing guidelines to enterprise units 69 24 6
Overseeing security projects 69 20 10
Checking for new issues, threats and vulnerabilities 65 31 4
Convening security forum meeting 65 27 8
Preparing reports for higher management’s consumption 63 33 4
Reviewing reports of security scan, assessment and audits 61 29 10
Reviewing & responding on security alerts, incidents, issues 57 33 10
Reviewing state of security in Service delivery channels 57 29 14
Reviewing security reports 51 33 16
Overseeing security training of employees 45 45 10
Interacting with IT teams for maintenance of security devices 37 51 12
Reviewing and approve change request 29 49 22
Approving official request of reporting officers 23 52 25
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Significant Amount of Time Non Significant Amount of Time Not Responsible
The role and expectations from CISO vary across organizations,

whilst many spend time on strategic items, a fair bit of operational
tasks take his/her attention.
Security gap/baseline assessment Keeping track of evolving threats &

(% respondents) Vulnerabilities (% respondents)
Business Manager 15
Corporate Compliance 12
Corporate Compliance 15
CISO 52
CISO 64
68
IT Security
IT Security 38
IT Infra Team 16
IT Infra Team 9
Audit Team 36
External Consultant 15
External Service Provider 6
Security requirements of business Security tasks

(% respondents)
Security of the organization is the prime

Business Manager 63
responsibility of the CISO and his/her team.
Corporate Compliance 19 However, other functions like IT Infrastructure
Team, Business Unit, Corporate Compliance,
CISO 58 etc. are also involved in the security
IT Security 27 management tasks. The survey indicated that
various teams are being involved in right capacity
IT Infra Team 19 for security management tasks. This indicates
that organizations are aware of stakeholders
Source: DSCI-KPMG Survey 2010 required to be involved for effective
management of security. Trends clearly visible
from survey responses are:
Application Security Testing
(% respondents)
?Operational tasks such as installation of
CISO 27 security solutions, administration of
security technologies, security testing is
IT Security 61 performed by IT security and IT
IT Infra Team 20 infrastructure team, allowing CISO to focus
on strategic tasks
Audit Team 11
?The gaps in the security skills are bridged
External Consultant 20 by availing services of external consultants
for the tasks such as security gap/baseline
assessments, application security testing,
code review, etc.
Security Authorization of Change Requests Though CISO is actively getting involved in

(% respondents)
business activities such as business strategy
planning, understanding business requirements
Business Manager 16
of security etc., involvement of business
Corporate Compliance 8 managers in security initiatives needs to be
further enhanced.
CISO 48
IT Security 58
IT Infra Team 18
Security tasks
Business Corporate CISO IT IT Infra Audit External External External

Manager Compliance Security Team Team Consultant Service Consultant
Provider /Service
Provider
Security Gap/baseline Assessment 15 15 64 38 9 36 15 6 21

Security Strategy Plan
22 14 80 29 16 2 2 0 2
Security Requirements Of Business

63 19 58 27 19 2 0 0 0
Preparing Security Policies & Procedures

6 14 82 41 16 2 10 0 10
Implementating Policies & Procedures

49 20 57 55 47 18 4 4 8
Defining & Managing Security
Architeture 8 6 65 55 31 0 4 2 6
Compliance Reporting To Clients

56 25 52 21 8 10 2 2 4
Advisory Vis-a-vis Data Security

Architecture 17 28 77 26 9 4 19 2 21
Security Solutions Evaluation And

Procurement 4 10 69 69 44 4 6 8 15
Install Security Solutions, Products And

Tools 2 2 32 62 68 2 6 8 14
Administration Of Security Technologies

0 0 12 66 64 2 0 2 2
Security Testing - VA and PT

0 2 22 64 36 12 12 12 24
Application Security Testing , Code

Review, Etc. 9 2 27 61 20 11 20 0 20
Conducting And Managing Internal

Audits/assments 4 22 61 20 4 71 6 2 8
Security Monitoring
10 10 38 72 30 12 4 4 8
Security Authorization Of Change

Requests 16 8 48 58 18 2 0 2 2
Report, Investigate And Close Security

Incidents 12 18 68 58 24 6 2 2 4
Keep Track Of The Evolving Threats And

Vulnerabilities 0 12 52 68 16 6 6 4 10
Strategies For Protecting Against New

Threats And Vulnerabilities 4 16 76 58 16 2 4 0 4
Keep Track Of The Evolving Regulatory

Requirements 20 36 62 26 2 8 8 2 10
Participate In Initial Client Meetings To

Understand Clients’ Security 57 17 67 41 24 2 0 0 0
Requirements
Administration & Testing Bcp /dr Plans

32 18 59 55 52 5 2 2 5
Extended
boundaries
Key findings
?Meeting multiple regulatory/client

requirements and ensuring employee
seriousness towards data security &
privacy continue to remain key
challenges for organizations
?Organizations are continuously

focusing on spreading awareness
about security but challenges seem
to persist
?Organizations are increasingly

focusing on deploying technical and
organizational safeguards to mitigate
risks arising from client‘s
environment
?Organizations have started

negotiating contracts to ensure that
any liability arising from
vulnerabilities in the client’s
environment is borne by the client
?Organizations have adopted ‘Third

Party Risk Assessment Framework’
along with conducting Vendor Risk
Management exercise for their
service providers.
Overcoming challenges
Meeting multiple client/regulatory requirements, while serving clients across

geographies, is a key challenge faced by organizations.
Challenges faced (% respondents)
Meeting multiple client requirements 45 27 29
Employees in young age group with high attrition rates 44 30 26
Meeting multiple regulatory requirements 38 36 26
Client providing liberal access to BPO employees 35 35 29
Emerging and evolving threats and vulnerabilities 33 47 20
Employees connecting to client environment through public network 33 26 42
Lack of employee awareness on liabilities arising from data breaches 27 50 23
Non seriousness of employees for security and privacy 25 48 27
High involvement of employees with client organization 25 35 40
Understanding global data protection regulations 22 39 39
Different connectivity models 20 37 43
Different means used to transfer or access the data 20 30 50
Inadequate budget allocation for data security & privacy 20 22 59
Increased volume and complexity of data intensive transactions 18 45 37
Difficultly to bring visibility over the data 16 43 41
Managing third party risks 16 49 36
International spread of operations 15 47 38
Client prefer business flexibility over the security 15 40 45
Lack of support from Top / Senior Management 9 24 67
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Key Challenge One of the challenges Not a challenge
Challenges in managing data security & privacy
Organizations face the challenge of meeting multiple regulatory/client security and

privacy requirements. Internal threats are also a major roadblock in ensuring data
security and privacy, especially when 73 percent of the organizations believe that there
is a lack of seriousness amongst their employees towards data security. Employees in
the young age group with high attrition rates pose a significant challenge in continued
sustenance and management of security & privacy. Organizations need to focus on
spreading awareness on liabilities arising from data breach as it continues to be a
challenge for more than 75 percent of the respondents.
The survey also highlights the fact that 70 percent of the organizations are facing
challenges with respect to ensuring data security and privacy at the client’s
environment. The respondents found to be concerned about relatively moderate
controls implemented at client’s environment. Managing security becomes even more
challenging when employees are highly involved with client organization or could
connect to client‘s environment through public networks.
Mitigating client environment risk (% respondents)
Making employees aware of the risks in client

71
environment
Deploying extra technical and organizational

60
safeguards
Negotiating contracts to make client liable for

54
exploitation of client’s environment
Include client’s environment in risk

50
management process
Do not consider client environment risk as part

25
of our risk management process
Mitigating client environment risk
There is an increasing realization about the risks associated with access to the client
data systems. Seventy five percent of the respondents have extended the scope of
risk management processes to include the risks introduced by client’s environment.
Organizations are making their employees aware of the risks that arise from client’s
environment and are also deploying additional technical and organizational controls to
mitigate these risks. Further, organizations have started negotiating contracts to
ensure that any liability arising from vulnerabilities in the client’s environment is borne
by the client.
Mitigating Third Party Risk
Organizations realize that with the increasing use of third party service providers, the
risk of data breach increases especially when these service providers have access to
confidential information. Therefore, most of the organizations sign Non Disclosure
Agreements / Confidentiality Agreements with the third party service providers and
use contract as an instrument to make the third party service providers liable for any
security breaches. Beyond that, 48 percent organizations have controls deployed as
per ‘Third Party Risk Assessment Framework’ and 52 percent conduct ‘Vendor Risk
Management’ exercises.
Mitigating third party risk (% respondents) Third party risk management (% respondents)
Controls deployed as per "Third Party Risk

Signing Non Disclosure Agreement 96 48
Assessment Framework"
Deploying technical and organizational Conducting Vendor Risk Management
77 52
safeguards exercise
Contract to make the third party liable for
75 Both 42
any security breaches
Making our employees aware of the risks

58 Neither 42
arising from third party services
Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010
Regulations
Key findings
?Organizations continue to consider

regulatory requirements as a primary
driver for their investments
?Adoption of an enterprise level

automated tool for managing
compliance is still in the nascent
stage
?There seems to be lack of clarity

amongst organizations regarding
their liability under ITAA 2008
?A large percentage of the

organizations have not activated legal
function to understand, interpret and
suggest necessary precautions to
comply with ITAA 2008. This explains
the low level of awareness amongst
the organizations.
Staying compliant
The survey results reveal that although organizations have started to create
awareness on ITAA 2008, the level of awareness still needs to be
strengthened.
Steps taken to track contractual / Regulatory requirements (% respondents)
Involve legal department in initial stages of deal negotiation 86
Maintaining an inventory of contractual / regulatory requirements for each

76
client relationship
Compliance / audit / risk manager for each relationship 70
Mechanism to track regulatory changes 66
Managed and shared legal & compliance related information effectively 66
Ensure understanding, interpretation and applicability of legal terms 62
Business process owners self declare compliance to contractual / regulatory

54
requirements
Legal and compliance requirements and liabilities for each type of data
50
element are well known
Subscribed to services that notifies the legal and regulatory changes 46
An enterprise wide tool helps manage compliance effectively 30
Tracking contractual / Regulatory requirements
The survey highlights that more than 3/4th of the organizations involve legal department
in the initial stages of contract negotiation and maintain an inventory of contractual /
regulatory requirements for each client relationship. However, only 50 percent of the
organizations are well aware of legal & compliance requirements for each type of data
element. Further, only 30 percent of the organizations use enterprise level tool to help
manage compliance. These could be the possible reasons why organizations continue
to face challenge in managing regulatory/client requirements.
Compliance processes remain largely manual.
Response to liabilities due to data breach (% respondents)
Strengthening monitoring and incident

78
management mechanism
Creating awareness within the
76
organization and third parties
Review the client contracts 58
Activating legal function 58
Establish a breach notification mechanism 47
Developing a strong forensic investigation

18
capabilities
Response to liabilities due to data breach

In the wake of global regulations and ITAA 2008, specifying increased civil as well as
criminal liability per data breach, most of the organizations are responding by:
• strengthening their mechanism for monitoring & incident management, and
While there is • creating awareness within the organization and third parties.
greater awareness
of global
regulations, the
My Organization can be sued under ITAA 2008 by (% respondents)
implications of
ITAA 2008 remain 60
50
largely unknown. 40
30
44 49
20
31 33
10 22 16 2 2
0
Yes No Not Sure ITAA 2008 is not
applicable
End Customers Employees
Awareness on ITAA 2008

There seems to be a lack of clarity amongst respondents regarding applicability of ITAA
2008 as more than 50 percent respondents either responded negative or ‘not sure’
with respect to their liabilities under ITAA 2008.
Creating awareness on ITAA 2008

Low level of awareness around ITAA 2008 could be understood from the fact that
almost 1/3rd of the organizations have not started specific initiatives towards creating
awareness on ITAA 2008 amongst their Top Management, whereas 2/3rd of them have
not yet started creating awareness for their clients, employees and contractors.
Create awareness amongst (% respondents)

80
70
60
50
40
70
30
20 35
30 24
10 15
0
Board Top / Senior Employees Contractors / Clients
Members Management Third Party
employees
Steps taken in response to ITAA 2008 (% respondents)
Strengthening monitoring and incident

46
management mechanism
Identify the personal information flow to
39
the organization
Activating legal function 39
Revising organization’s security policy 33
Contacting external information sources 33
Extending the scope of security & privacy

33
to cover employee's personal data
Collaborating with competitors / peers 30
Review the vendor contracts 24
Identifying and making an inventory of

20
scenarios
Developing a strong forensic investigation
17
capabilities
Response to ITAA 2008
Since most of the organizations have not even involved their legal function to interpret
and suggest necessary safeguards to comply with ITAA 2008, they don’t realize the
impact of the breach. This is highlighted by the fact that 67 percent organizations have
not extended the scope of the security and privacy program to cover employee
personal data.
ITAA 2008 as a driver for technology investments
Organizations’ lack of focus towards ITAA 2008 could be related to the fact that more
than 2/3rd of the organizations consider global regulations as a primary driver for their
technology investments to enhance information security and regulatory compliance.
ITAA 2008 as a Driver (% respondents)
80
70
60
50
40 72
30
20
10 19 26
11
0
ITAA 2008 is Global regulations ITAA 2008 has ITAA 2008 does not
significant as a primary driver recently acquired a have any bearings
investment driver place in the on investment
discussion decision
Internal
processes
Key findings
?Organizations involve process

owners and Lines of Business in
their data security initiatives
?Organizations keep a vigilant track of

new issues, vulnerabilities and
threats. However, most of them do
not have a mechanism in place that
is capable of swiftly testing the
relevance of these issues in their
environment
?More than half of the organizations

surveyed do not mandate vendors /
third parties to report new threats
and vulnerabilities in their products /
services
?The industry has matured over the

years in terms of processes such as
security incident management,
BCP/DRP and physical security
management.
Being prepared
Internal processes of organizations have matured over the years to a point

where most of the organizations are keeping track of threats & vulnerabilities
and have also established processes for employee background screening,
security incident management, BCP/DRP and physical security control.
Data centric approach
Organizations are bringing a data centric approach in their security initiatives by

understanding the type of operations, client requirements and underlying resources
and access patterns. Further, organizations are increasing aware on how data is
managed in its life cycle and having granular level visibility over the data in each of its
client relationships and business processes. The survey also reveals that 78 percent of
the organizations involve process owners and Lines of Business in their data security
initiatives.
Data sentric approach (% respondents)
Involvement of process owners & LoB in the

78
data security initiatives
Understanding about the type of operations,

76
client requirements etc
Aware of how the data is managed in its life

66
cycle
Data classification techniques have been

66
deployed and followed rigorously
Granular level visibility over the data 64
Organization is aware of issues in the client

50
environment
Uniformity of controls is maintained at both

36
client & organization's environments
Level of perceived risk (% respondents)
Human Resource Operations 73 17 10
Health Information Processing 72 17 10
Finance and Accounting 72 28 0
Payroll Processing 66 24 10
Legal Processing 54 27 19
Customer Interaction and Support 53 28 19
Billing Management 46 46 8
Business Analytics 41 44 16
Knowledge Services 39 45 16
Supply Chain Management 22 56 22
Procurement Services 22 61 17
Engineering and Design Services 13 47 40
Printing and Publishing Services 0 38 62
0% 20% 40% 60% 80% 100%
High Medium Low
Perceived risk based on lines of service
Global regulations could be the prime reason why organizations perceive business
processes involving personal information as high risk. More than 2/3rd of the
organizations perceive the following business processes as high risk:
Human resource operations

?
Health information processing

?
Finance & accounting

?
Payroll accounting.
?
Processes involving personally identifiable information are perceived

as high risk.
Keep track of evolving threats & Keep track of evolving threats & vulnerabilities
(% respondents)
vulnerabilities
Organizations have established appropriate Risk based internal or external audits 86

measures to keep track of new threats and
vulnerabilities, wherein they subscribe to Subscribing to newsletters 76
newsletters, CERT-In alerts, exploit databases and
by periodically visiting websites of data security Through websites of data security vendors 74
vendors. However, there is a need for collaborative
Subscribing to vulnerability, exploits databases,
effort amongst peer organizations which could 68
etc
benefit the entire industry. Organizations should
also consider stronger engagement with Subscribing to CERT-In alerts 62
vendors/third parties and insist that they report

new threats and vulnerabilities in their products / Through peers / competitors 54
services so that appropriate controls could be Security research reports of product and
implemented in a timely manner. 46
professional organizations
Mandating the vendors to report new threats &

44
vulnerabilities in their products
Through discussions on security forums on the

40
internet
Subscribing to Analysts reports 32
Provided by the client organizations as part of

30
their Risk Management process
Threat & vulnerability management

(% respondents)
Keep vigilant track of new issues, vulnerability

84
and threats
While
organizations keep The version of each critical asset is up-to-date 76
a close eye on
Integration with IT infrastructure management
threats and processes
72
vulnerabilities,
IT infrastructure is homogeneous 62
they lag in swift
response. An architectural treatment is given to threat and
60
vulnerability management
Mechanism to test the relevance of issues

56
swiftly, without delays
Scope of the function is extended to mobile

50
computing devices etc
Collaborates with agencies like CERT-In and

46
other knowledge sources
IT infrastructure is heterogeneous 26
Compatibility of business application & cost

24
hinder to make the asset up to date
Threat & vulnerability management
The survey reveals that organizations are tracking threats and vulnerabilities. However,
most of them do not have a mechanism in place that is capable of swiftly testing the
relevance of these issues in their environment. Majority of the organizations ensure
that version of each critical asset is up-to-date to make the asset free of vulnerabilities.
However, 24 percent of the organizations face compelling reasons such as
compatibility of business application and cost escalation hindering version upgrades.
Further, heterogeneous nature of IT infrastructure poses challenge to around 26
percent of respondents in managing threats and vulnerabilities.
Solutions adopted for data protection
Organizations have adopted solutions related to encryption and have started to

develop fraud management and forensic capabilities internally. In the wake of data
protection regulations, more than 50 percent of the organizations have deployed or are
planning to deploy the following solutions:
?Hard Disk Encryption

?Email Encryption
?Data Loss Prevention (DLP)
?Security Incident and Event Monitoring (SIEM)
?Mobile Data Protection
?Legal and Compliance Management.
Solutions deployed or planning to deploy (% respondents)
Hard Disk Encryption 78
Email Encryption 72
Data Loss Prevention (DLP) 66
Security Incident and Event Monitoring (SIEM) 62
Mobile Data Protection 52
Legal and Compliance Management 52
Database Activity Monitoring 46
Data Masking 44
Fraud Management 42
Compliance Notification Services 36
Threat Management for mobile computing devices 34
Computer Forensic 28
Do not have sufficient budget 6
Background screening
Employee background screening is one of the key controls in terms of security,

especially when employees have access to critical / confidential information of clients.
Background screening is also important from the fact that a majority of the
organizations see internal threats as one of the key drivers for data security.
Background screening is one of the basic controls for ensuring security; this is evident
from that fact that 72 percent of the organizations follow this process for all their
employees. Realizing that background screening is not their core competency, 80
percent of the organizations have outsourced it to third party vendors.
Realizing the importance of background screening, NASSCOM started the initiative

called National Skills Register (NSR), to have a credible information repository about all
personnel working in the IT and BPO industry. Most of the participants are aware of
NSR and its value. However, the adoption of NSR as an exclusive source for employee
background screening has been limited.
Background screening is conducted for

(% respondents)
14 10 72
Selected relationships Selected Lines of Service
All employees
Background screening is conducted by

(% respondents)
Internally 18
By Third party 80
Both 12
Security incident management (% respondents)
Mechanism exists for internal employees and customers to report incidents 84
Logs are securely managed and archived in accordance to compliance

78
requirements
Incident management supports data breach notification requirements

71
(regulatory) of clients
There is a formal reporting mechanism to report incident to the management,

69
client and regulatory authorities
There is a mechanism to define detective and investigative requirements 67
Incident management mechanism is integrated with organization IT

67
processes for remedial actions
Scope of security monitoring is extended to all the critical log sources 63
Real time monitoring mechanisms exist that can proactively detect anomalies 59
Business rules are defined to identify incidents 57
There is an inventory of all the possible scenarios that can lead to an incident 55
Effective solution is implemented for log management, security monitoring

53
and incident management mechanism
Incident management mechanism takes inputs from external knowledge

47
sources on vulnerabilities, anomalous patterns and threats
There is a mechanism that generate an incident based on patterns and

41
business rules
Incident management mechanisms supports forensic capabilities 37
Collaborate with CERT-IN for incident reporting and response 33
Scope of the incident management is extended to third parties 29
Security Incident Management
Most organizations state that they have formal security incident management in place.
Most of the respondents have established mechanism for internal employees and
customers to report incidents, define detect & investigative requirements and
proactively detect anomalies. The survey reveals that 71 percent of the organizations,
incident management supports data breach notification requirements of clients.
Further, the incident management process is integrated with IT processes for remedial
actions and almost 2/3rd of the organizations have extended the scope of security
monitoring to all critical log sources. Organizations have formal processes for reporting
security incidents, but only 29 percent of them extend the scope of incident
management to third parties.
Business Continuity / Disaster Recovery Planning
The survey revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for client business processes and
BC/DR plans cover recovery objectives of each client relationship being defined. The scope of BCP/DRP
most elements of for most organizations, also cover scenarios like city outage and externally provisioned
organization’s systems, applications and networks. Organizations also realize that the knowledge
internal around BCP/DRP is important, therefore emphasis is given to providing cross-
functional training and BC/DR drills being conducted frequently. Though significant
boundaries, but level of automation exists for DR operations, organizations are yet to adopt automation
few include tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent
aspects relating to of the organizations follow manual processes and do not have operational metrics to
third parties. help take routing decisions. The survey further revealed that though the processes for
many organizations around BCP/DRP are matured, only 50 percent of organizations
have realized that third parties should also be mandated to meet BCP/DRP
requirements.
The scope of BCP/DRP (% respondents)
Covers the strategies for client business processes 78
Extended to cover scenarios like city outage 76
Recovery objectives for each client relationships 74
Covers the externally provisioned systems, application and network 66
For BCP/DRP (% respondents)
Adequate technical measures are deployed to migrate or route business

73
processes from one operational location to other
Drill is conducted frequently 73
The knowledge is managed effectively 70
Emphasis given on providing cross functional training to employees 66
Architectural treatment given to availability preparedness that drives

64
redundancy of infrastructure components
Contracts with third parties include obligation to meet our BCP / DR

50
requirements
For BCP/DRP there exists (% respondents)
Mapping of each of business operation with associated Infrastructure

80
component
Significant level of automation for DR operations 58
Operational metrics to help take routing decisions 56
Automated tool to perform BCP/DR process 28
Physical security (% respondents)
Adequate controls exists for perimeter, entry points and interior areas 98
There exists a mechanism for identification and authorization of employee 98
Entry to the delivery centers is restricted to authorized persons only 96
A process exists for the movement of assets into the operating areas 88
Physical security function is owned by the Admin department 88
A process exists for provisioning and de-provisioning access of visitors,

86
partners, and support services
Physical security operation is driven by stringent and consistent processes 84
Significant level of collaboration exists between physical security, information

82
security and other functions of the organization
Segregation of duties is maintained in shared facilities 78
The scope of security testing is extended to cover physical security controls 76
The scope of the security monitoring and incident management mechanism

72
is extended to integrate the physical security components
An architectural treatment given to the physical security countermeasures 70
Physical security is integrated with IT security through competent solutions 48
There is centralized monitoring of physical security across various locations

48
by Physical Security Operations Center (PSOC)
Physical security function is owned by the IT department 6
Physical Security
The respondents realize that risk of data leakage increases once a person has physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employee. Organizations also ensure
significant level of collaboration between physical security, information security and
other functions. However, in most of the organizations physical security is not
integrated with IT Security.
In the times of digital convergence, physical security and digital

security controls remain disintegrated.
Way forward
Over time, the Indian BPO Industry has withstood significant customer and regulatory
scrutiny, and has been able to demonstrate that it is able to embrace data security and
privacy governance processes that are required as a minimum baseline for providing
outsourcing services in a high trust mode. While customers have largely driven
consciousness of risks and requisite controls, most organizations in the industry have
developed frameworks that aid them in first line defense, detection, and reacting in an
appropriate manner to events that threaten this high trust environment. The industry
also continually expands its horizons to newer markets, and has gained a reputation in
understanding its exposure to legislation and regulation in varying markets. C-level
executives of the BPO industry are well conversant with their responsibilities and
liabilities from a data security and privacy standpoint, and implications of risks
emanating from these topics regularly underpin the strategic priorities and decision
making processes of such executives.
One of the themes emerging from the survey is that while the BPO industry has
attained a high level of maturity on data security, business continuity preparedness,
background screening of employees, etc., there are many emerging issues that require
its attention. These issues are majorly attributed to the rapidly evolving security and
regulatory landscape.
Global regulations require organizations to protect the privacy of end customers. The
interpretation of these regulations is becoming a significant challenge, requiring a
dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving
away from the current practice of positioning privacy within the ambit of security. The
privacy function will have to bring the necessary regulatory intelligence that supports
the geographical expansion of organizations. On the other hand, it will have to
reengineer organization’s processes to demonstrate compliance to the regulations.
The ever changing threat landscape is driving organizations to redefine their security
strategies and programs. The rising complexity and heterogeneous nature of
underlying infrastructure pose a significant challenge in doing so. They need to build
the right capabilities for maintaining their security posture and responding swiftly to
the new threats.
Over the years, BPOs have witnessed substantial growth and have penetrated into
new Lines of Service. In doing so, they are challenged with protection of sensitive
client data. A particular Line of Service is characterized by a specific set of security
concerns and liabilities. To sustain its growth, BPO industry should pay close attention
to understanding of the risks and liabilities associated with the Lines of Service it is
serving.
To overcome the challenges identified by the survey, it is important for the

organizations to adopt a data-centric approach to manage security & privacy risks and
review all processes, functions and client relations from the data perspective.
BPO as an industry is facing unique challenges and there is a strong case for
collaboration between organizations. The industry treats security as hygiene rather
than a competitive advantage. The entire industry can learn from its experiences, and
provide a consistent and unified message of a high trust environment at the industry
level.
Acknowledgments
DSCI Core Team

Vinayak Godse Director – Data Protection
Vikram Asnani Senior Consultant – Security Practices
Rahul Jain Senior Consultant – Security Practices
KPMG Core Team

Navin Agrawal Executive Director
Nitin Khanapurkar Executive Director
Atul Gupta Director
Vijay Subramanyam Director
Vidur Gupta Associate Director
Deepak Agarwal Consultant
KPMG Survey Team

Abhijit Varma
Ankit Goel
Arihant Garg
Jignesh Oza
Lekha Ragupathi
Nayab Kohli
Nitin Shah
Rahul Gupta
Rahul Singhal
Sundar Ramaswamy
Syamala Raju Peketi
DSCI Project Advisory Group

N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore
BJ Srinath Senior Director, Cert-In
Anjali Kaushik MDI Gurgaon
Akhilesh Tuteja Executive Director, KPMG
Kartik Shahani Country Manager, India and SAARC, RSA
Satish Das CSO, Cognizant
Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service
Vishal Salvi CISO, HDFC Bank
Ashwani Tikoo CIO, CSC
PVS Murthy Global Head – Information Risk Management Advisory, TCS
Deepak Rout CISO, Uninor
Seema Bangera DGM – Information Security, Intelenet Global
KPMG Contact DSCI Contact
Atul Gupta Vinayak Godse

Director, IT Advisory Services Director - Data Protection
KPMG in India DSCI
T: +91 124 307 4134 T: +91 11 2615 5071
E: atulgupta@kpmg.com E: vinayak.godse@dsci.in
www.kpmg.com/in www.dsci.in
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (“KPMG International”), a Swiss
entity.
Copyright © 2010 DSCI. All rights reserved. Printed in India.

KPMG DSCI Data Security Privacy Survey 2010

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KPMG DSCI Data Security Privacy Survey 2010

Uploaded by

Copyright:

Available Formats

State of Data Secutiry and Privacy in the Indian BPO Industry

Message from CERT-In

Businesses continue to drive IT operations, which in turn try to sustain existing

Dr. Gulshan Rai

Message from DSCI

This is the third DSCI-KPMG Security Survey, conducted in association with

Dr. Kamlesh Bajaj

Message from KPMG in India

Data Security and Privacy 08

Information Security Governance 16

Some of the findings of the survey are as follows:

?Customer requirements remain primary drivers for data security to most

?Almost 50 percent of the organizations are negotiating contracts to ensure

?CISOs of majority of the organizations are spending significant time on

?Only 44 percent of the respondents are mandating vendors / third parties

?There seems to be lack of clarity amongst organizations regarding their

?More than 75 percent of the organizations involve process owners and

As part of this initiative, 50 organizations were surveyed with the following

?Positioning of data security and privacy in the BPO organizations -

?Strategic options adopted for Business Continuity and Disaster Recovery

Data security and privacy

Information security governance

?Client/contractual requirements and

?Organizations perceive that key

?Respondents are conscious of their

?Organizations focus on data privacy

?Majority of organizations do not have

Finding its place

Survey reveals that to address end customers’ concern vis-à-vis their

Drivers (Data security) (% respondents)

Source: DSCI-KPMG Survey 2010

Drivers for data security

Majority of respondents consider security as a hygiene factor rather than a

Clients continue to drive the information security requirements. They

Security Team Size Security function positioning (% respondents)

Source: DSCI-KPMG Survey 2010

Respondents believe that organizations place due importance to security function

Security is still a centralized function as revealed by the survey. However,

Maturity of security practices (% respondents)

Focus on ISO 27001 82

Continuous Vigilance on evolving issues 78

Keeping top management aware of the risks

Constant review of the environment 70

Providing architectural treatment to security

Use enterprise portal to manage security

Collaborate with external sources & internal

Proactively adopt techniques such as threat

Focus to innovation in the security initiatives 44

Source: DSCI-KPMG Survey 2010

Maturity of security practices

Organizations are following standardized processes by taking major strength from

• Providing architectural treatment to security solutions

• Usage of enterprise portal to manage security

• Adopting techniques such as threat modeling, threat tree, etc.

• Focusing on innovation in security initiatives.

Drivers for data privacy

Data privacy, as with data security, is primarily driven by client/contractual

Drivers (Data privacy) (% respondents)

End customer concerns over trans-border

65 31 4 Global data protection regulations

56 35 8 Data privacy clauses in client contracts

50 46 4 Client’s privacy program