Page 2

In the digital age with technology advancing at a daily rate businesses whose core activities are not IT may not want to spend money on capital infrastructure which depreciates the moment you purchase it and becomes out of date immediately. In addition there are costs to manage, maintain and secure the systems meaning it is understandable why financially an organisation would look to a third party supplier to outsource this function. A business can free up costs to focus on their core activities rather than tie up costs with IT infrastructure and there is immediate scalability so capacity can quickly be added or removed depending on the demands of business, especially if it is a seasonal one. However if you are thinking about making this step or have already done so it is important to understand that there are risks involved. By contracting to a third party supplier you are not outsourcing these risks and there are residual exposures as if you were operating your own system.

Loss of Control Why outsource providers work on a cost basis is that they look after many clients and there is a chance that you are not going to be their largest or most valuable client, therefore response time and priority might not be what you can expect if your IT was in house. If your service provider suffers a technical issue then they are going to be responding to a number of clients all at the same time. What are your provider’s disaster recovery plans and how often do they test them. It might be a good idea to run virtual tests with your provider to test their response, especially around any business critical systems. By outsourcing your IT functionality you are expanding the boundaries of your business, no longer are your business activities kept within your office locations they are now under the control of a third party. What do you know about their security, or where the data centres are located? Do they allow your “virtual neighbours” physical access to the site, is the centre on a flood plain? The phrase that security is only as strong as its weakest link is also true, and by adding service providers to your business process you are adding more links to this chain, and potentially increasing the chance that something might go wrong. It’s not just the physical security of a provider that needs to concern you but also their financial security. Will the outsource provider still be around in 12 months time? Are they able to keep hold of their staff? It might be wise to ask for a copy of the providers last reports and accounts for your piece of mind.

Data Protection The Data Protection Act 1998 (DPA) sets out how personal data must be handled and has eight principles (see http:// www.ico.org.uk/for_organisations/data_protection/the_ guide/the_principles) and it is the Data Controller who is responsible that these principles are complied with. The Data Controller is defined as: A person or organisation who makes decisions in regard to personal data, including decisions regarding the purposes for which and the manner in which personal data may be processed. As a business using client data this refers to you, so even if your data is being handled by a third party you remain responsible for it, and a breach of any of these principles can result in you being fined up to £500,000 even though the fault may have been caused by your IT provider. Two key principles are 7 & 8. Principle 7 makes you responsible for appropriate technical and organisational procedures to be in place to prevent a loss, not the outsource provider and Principle 8 regulates that data can only be stored in countries of the European Economic Area (EEA) or a country that “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. It is therefore up to you to ensure that data is not being sent outside the EEA. In addition if your industry is subject to any form of regulation and audit does the outsourcer have the correct knowledge of your industry and any particular security requirements about security of data. You will have to ensure that any IT provider complies with the standards your industry is expected to meet otherwise you can be exposed to fines or penalties if they were to fail an audit.

Top tip If you are therefore contracting to any organisation who will be acting as a Data Processor for you make sure you have a Data Processing Agreement in place that makes them responsible & liable for complying with the DPA, and any industry regulation that you face as well as being informed of any breaches which might occur.

Outsourcing IT  

Richard Hodson, Head of Oval Technology explains why Outsourcing your IT neither means that you are devoid of responsibility for your securi...

Outsourcing IT  

Richard Hodson, Head of Oval Technology explains why Outsourcing your IT neither means that you are devoid of responsibility for your securi...

Advertisement