Today's
guest blog on data privacy comes from Sarah Seabury, Director at TPI. 
Musing time for sourcing advisors, and most executives these days, seems to be normally conducted at 30,000 ft. So no surprise that during my final descent to a country that I had never visited before, I found it interesting to consider how much data this new location already holds about me - despite the fact that I had yet to actually arrive.
Like most travelers I made arrangements in advance,
so my credit card details, personal address, passport number, business contact
details and probably much more arrived before I did. Possibly these details had
already been transferred to another country or a third party organization for
processing without my knowledge. Multiply this by all the countries that I've
visited and the many personal transactions involving my personal data during my
lifetime and what do you get? - a
virtual server with my name on it, over which I have very little control,
despite the fact that all the data fundamentally belongs to me.
Europeans have a healthy scepticism about giving their
data to companies and governments, a distrust that stems from mass migrations
and genocide during the second world war. Since then, various pieces of
human rights legislation have ensured that all citizens have the ability to
control the use, spread and quality of their own data - in effect, each person
lends their data for a specific purpose to a named organization. Companies
don't "own" personal data, but they are responsible for controlling it and
processing it.
A baffling array of densely written (and diversely interpreted) data protection legislation that mandates this tripartite arrangement in Europe between data subject, data controller and data processor has matured over the years into a series of practical and legal measures, which now looks set to spread round the world under various privacy guises.
So, should the sourcing community be concerned about the onward march of global privacy?
With my European citizen hat on I say "bring it on"! With my sourcing advisor hat on, my enthusiasm is more constrained, as the data protection legislation hasn't dented the massive uptake of outsourcing in Europe this year or the global spread of data processing services.
Interestingly the prize this year for the biggest UK privacy "foul-ups" was handsomely awarded to various government departments - who stubbornly hang onto processing citizens' data in-house in the UK and somewhat out of the reach of the UK regulator. Hopefully, a loop hole soon to be closed after loud public outcry.
The disciplines associated with setting up privacy compliant sourcing relationships force organizations to think about effective and respectful data processing. Issues of responsibility and accountability are discussed and documented. Technical, security and organization measures are implemented and then regularly audited. Processes are put in place to allow data subjects (that's you and me) to view, amend and even delete data - thereby improving transparency of use and data quality. Policies are written outlining an organizations approach to this subject and employees are trained how to implement the policy.
Sounds expensive to implement - but what is the price to pay for poor privacy? Well, it is difficult to estimate the economic cost of poor quality data, the collection and storage of personal data for no defined purpose or the exposure in the press of those companies who allow data to leak through poor security measures. The fines levied by the regulators are a drop in the ocean compared to the reputation damage suffered by the companies exposed. I much prefer to consider the customer trust side of the equation and give my business to those with a good privacy reputation. Similarly the corporate clients TPI advises are keen to establish relationships with suppliers who really understand privacy.
So the next time you are at 30,000 ft, gazing out of the aircraft window, spare a thought for all those bytes below you with your name attached.
