130 likes | 313 Views
Data Flows and Data Mirroring. Benjamin S. Hayes Americas Data Privacy Compliance Lead Accenture, LLP. Data Flows and Data Mirroring. What data is flowing across borders, and where is it going? Why is the data moving? What are the trends?
E N D
29e Confrence internationale des commissaires à la protection de la vie prive
Data Flows and Data Mirroring Benjamin S. Hayes Americas Data Privacy Compliance Lead Accenture, LLP 29e Confrence internationale des commissaires à la protection de la vie prive
Data Flows and Data Mirroring • What data is flowing across borders, and where is it going? • Why is the data moving? What are the trends? • Predictions for the future • Outsourcing—myth and reality 29e Confrence internationale des commissaires à la protection de la vie prive
Example 1: Commercial website Content / functionality modules (not including web advertisements) supplied by various third parties: • Dell • Careerbuilder.com • Google • People magazine • Yahoo • Accuweather.com • Time.com • AOL • Fortune • Etc., etc., etc. 29e Confrence internationale des commissaires à la protection de la vie prive
Commercial Website (cont.) • Each module, in turn is likely powered by a service provider to Google, Time, AOL, etc. • These service providers may outsource part or all of the functionality to a subcontractor. • Data input through a module may be accessible to multiple parties in multiple geographies. • Virtually all of the controls to protect data will be contractual (as opposed to compliance with laws) 29e Confrence internationale des commissaires à la protection de la vie prive
Example 2—HR Outsourcing • Services typically involve providing the majority of personnel administration functions: • Payroll • Benefits enrollment • Change of status • Communications to employees • Helpline for employee inquiries 29e Confrence internationale des commissaires à la protection de la vie prive
How a hypothetical HRO is staffed • Assume client is in US, UK, NL and Belgium. • Deal may be signed in London between Client UK and Accenture UK • Accenture Consultants in US, UK, Argentina and Manila • Call centers in Buenos Aires, Warsaw, and Kuala Lampur to ensure 24 hr coverage. • Data processing in Bangalore • Printing / mailing performed by third party in US. 29e Confrence internationale des commissaires à la protection de la vie prive
Why are services provided this way? • Primary reason – cost • The search for efficiency and savings drives outsourcing • Strong pressure on public companies to produce profits for shareholders. • Secondary reasons – • ability to distribute work to expert teams in various geographies, • 24 hour capabilities, • languages 29e Confrence internationale des commissaires à la protection de la vie prive
Added complexity—communications infrastructure • Servers are located in service locations, but are backed up on different continents for disaster discovery purposes. • Secondary backup servers (“fail-over capacity”) may be in yet another country. • The widely distributed service delivery team may use a private group website (hosted in Chicago, serviced from India) to collaborate on projects, share drafts, etc. • The advent of VOIP may mean re-examining assumptions about the privacy /security of voice communications—caching, routing, clear-text packets, etc. • All of this means a complex web of Model Clauses and other data transfer agreements must be applied to follow the data—difficult to administer. 29e Confrence internationale des commissaires à la protection de la vie prive
Predictions for the future • The distribution of data and segmentation of business processes is driven by economics and improvements in information technology. Bandwidth availability will continue to improve, which will drive further distribution of data and segmentation of business processes. • More businesses will engage in transitory data processing instead of traditional controllership. • Business realities require consistent administration of data from many sources—this means there is economic demand for harmonized international rules regarding data sharing, • Increased or disharmonized regulation that interferes with transborder data flows will mean some economic efficiencies are unrealized. • Territorial limits on transborder data flows may do little to address actual risks—a risk-focused (rather than territorial) regulatory regime would be more protective of consumer interests. 29e Confrence internationale des commissaires à la protection de la vie prive
Outsourcing Myths • Work is performed in substandard conditions, employing uneducated, untrustworthy people. • Information security standards are lax. • Data is necessarily less safe than it would be in its home country. 29e Confrence internationale des commissaires à la protection de la vie prive
Outsourcing—Reality • Work is performed in modern business conditions by educated, trained, screened personnel • Information security standards are extremely strict • Data is safer than it might be in many other places 29e Confrence internationale des commissaires à la protection de la vie prive
Accenture Delivery Centers are focused on security expectations and are audited • Bangalore has been certified at Level 3 of the eSourcing Capability Model for Service Providers by Carnegie Mellon University—1st outsourcer in the world to receive this designation • 17+ Accenture delivery locations to receive SAS 70 Level II audits in 2007 • 8 centers are currently compliant with ISO 27001; 3 more will be added in October, 2007 (represents most of Accenture’s outsourced service delivery locations); variety of other standards certifications in place. • Global mandatory training on data privacy for all personnel 29e Confrence internationale des commissaires à la protection de la vie prive