Data Privacy Laws and the BPO industry

Business process outsourcing (BPO) is the company practice of subcontracting or outsourcing non-core business activities to a third party. The growth of this industry has been consistent in the country for the past several years. So much so, that it’s been declared as an important contributor to the Philippine economy. It has not only generated jobs for Filipinos but also various businesses that serve the needs of the industry itself.

On most occasions, it is multinational firms that engage in BPO as a strategy. They enter into a contract with a service provider (i.e., BPO company) that can carry out the activities they would otherwise be expected to perform. This practice has become so commonplace that many BPO companies are now popular global brands themselves. Just like some of their principals or clients, they now also set up offices and operate in multiple locations around the world.

The Philippines is a preferred BPO site due to skill and financial considerations. BPO companies here provide a wide range of services to an equally diverse roster of clients or accounts. Thus far, the functions often outsourced include both back office (e.g., human resources, accounting, research, and information technology) and front office functions (e.g., customer service, marketing, sales, and technical support). The overall range, however, continues to expand through the years.

When one looks closely at these outsourced functions, it’s clear they usually entail personal data processing activities. In customer service calls, for example, a BPO employee ordinarily collects and processes a lot of customer personal data. The actual scope of the data collection is usually determined by the type of transaction involved. Because of this, BPO companies are brought under data protection laws and regulations, like the Data Privacy Act of 2012 (DPA). The law applies to any individual or organization involved in personal data processing including those who, although not found or established here in the country, use local equipment or maintain an local office, branch, or agency.  

But it’s not only the BPO companies. Their principals, which are headquartered in other countries, are usually subject to similar policies. Some of the relevant laws existing today include the General Data Protection Regulation (GDPR), the Privacy Act of 1988, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which govern European countries, Australia, and Canada respectively.

In some instances, these foreign laws apply even to the BPO companies themselves. Take the case of accounts based in the United States. While that country has no federal privacy law, it does have state data protection laws, like the California Consumer Privacy Act (CCPA. On top of that, there are also sectoral privacy regulations such as the Health Insurance Portability and Accountability Act (for health) and the Payment Card Industry Data Security Standards (for financial information). These policies have not only managed to provide protection to individuals, they have also had an impact on BPO firms, particularly in the way they design and implement their compliance and accountability regimes.

That said, data privacy policies in general have had a significant effect on BPO companies. One aspect this has been evident is in their compliance with transparency requirements (i.e., telling data subjects what is done to their personal data). Transparency is a key feature of all data protection laws. Incidentally, it is also central to the industry given the fiduciary relationship between BPO companies and their principals. Another major influence spawned by data privacy laws has been the implementation of effective privacy management programs. While most BPO companies have a strong information security framework—one that is compliant with globally recognized standards—one can’t say the same when it comes to data privacy. The latter, after all, is, although related, a separate concern and usually requires a different set of guidelines, risk assessment, and security measures. Integrating it to an existing information security framework requires careful planning and proper execution. These two, along with many more, highlight the extent of the impact that data privacy has had on the BPO industry.

To make sure they comply with all regulatory requirements, BPO companies must always consider those declared as best practices within their industry. The involvement of top management and proper coordination with their principals is always crucial. The latter is particularly true when  the execution of appropriate contracts and adherence to data processing protocols are concerned. The importance of following all applicable data privacy laws should be emphasized in all of them. Appointing a local data protection officer must be prioritized, too, since having a global lead in this area has its limitations. Someone must spearhead efforts towards the development and implementation of various data privacy measures. Simply passing on the task to other officers (e.g., Information Security, Compliance, or Risk Management) has significant drawbacks.

There is no doubt that it is an enormous task. Every step needs to be measured and implemented well. But it’s not like one actually has a choice. Data privacy laws are here to stay and they will only continue to evolve through time. To make the challenge less daunting, it may be helpful for BPO companies to appreciate compliance as also protecting their interests, not just in terms of avoiding liability, but also in showing the world that they are not just all about profit and business. They care about privacy and human rights, too.