Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

On 16 August 2012, the ICO published guidance on deleting personal data under the Data Protection Act 1998 (DPA). The guidance describes how organisations can ensure compliance with the DPA when they delete or archive personal data, and explains what the ICO means by deletion and archiving and introduces the concept of putting personal data ‘beyond use.’ The guidance aims to counteract the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated; archived information is “subject to the same data protection rules as ‘live’ information, although information that is in effect inert is far less likely to have any unfair or detrimental effect on an individual than live information.”

Given the fifth data protection principle which provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes,” the deletion of personal data is an important activity for organisations which control or process personal data. The ICO notes that, although the DPA does not define “delete” or “deletion”, a plain English interpretation implies “destruction” which, in the case of electronic storage, is less certain than, say, incineration of paper records, since information which has been “deleted” may still exist within an organisation’s systems in some form or other.

The ICO says that it will “adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place.” The ICO gives specific examples of where putting information ‘beyond use’ would be an acceptable alternative to ‘deletion’. For example, an acceptable alternative may arise where for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch, or where information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether where it is waiting to be over-written with other data. The ICO will be satisfied that information has been ‘put beyond use’ if the “data controller holding it:

  • is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
  • does not give any other organisation access to the personal data;
  • surrounds the personal data with appropriate technical and organisational security; and
  • commits to permanent deletion of the information if, or when, this becomes possible.”

With these safeguards in place, ‘data compliance suspension’ applies, meaning that the ICO will not require data controllers to grant subject access requests submitted by individual data subjects nor will the ICO take action over compliance with the fifth data protection principle. Businesses should take note that with recent high profile incidents, such as Google’s failure to wipe data gathered as part of its Street View service under a 2010 deal with the ICO, the ICO is taking a hard look at how organisations deal with important issues such as deletion and archiving of personal data, and should take steps to ensure that they have designed and implemented their data security policies appropriately. As a word of caution, the ICO does advise that where data ‘put beyond use’ is still held, it might need to be provided in response to a court order, hence data controllers should work towards technical solutions to prevent deletion problems recurring in the future.

Posted
By

Under the previous 1981 Transfer of Undertakings (Protection of Employment) Regulations 1981 (TUPE) and the EU Acquired Rights Directive (ARD) it was not clear whether the definition of a relevant transfer caught “outsourcing” activities where there was a change of service providers or a contracting in or out of services. The UK and European courts used a number of factors to decide whether there was a “transfer of an undertaking” within the meaning of TUPE 1981, which led to a number of conflicting case law decisions on this point.

TUPE 2006 Regulations sought to address the difficulties in applying TUPE 1981 to outsourcing activities by extending the definition of a relevant transfer to include situations where:

  • there was a “service provision change” for outsourced or in-sourced activities, or
  • there was a change of contractors (Regulation 3(1)(b)) and immediately before the change there was an organised grouping of employees situated in Great Britain which had as its principal purpose the carrying out of the activities concerned on behalf of the client (Regulation 3 3(a)).

As this definition goes beyond the scope of the ARD, the UK takes a more liberal view of what amounts to a “relevant transfer” than most, if not all the other EU countries. TUPE 2006 Regulations was seen by many as gold-plating TUPE to apply in nearly all outsourcing situations.

The UK government is now looking to review TUPE 2006 and launched a “Call for Evidence” on simplifying TUPE 2006, including amending or removing the “service provision change” definition under Regulations 3(1)(b). As part of this process, businesses, employers, organizations and unions can submit evidence on how TUPE 2006 has impacted them or their clients. The “Call for Evidence” is a precursor to formal proposals for legal change and further consultation.

One of the questions to be considered is whether the increased certainty about the application of TUPE to service provision changes (by virtue of TUPE 2006) has resulted in benefits or burdens for businesses. In particular, the Government asks whether the 2006 amendments have reduced the need for legal advice prior to tendering or bidding for contracts, and whether they have led to fewer tribunal claims.

In my view Regulation 3(1)(b) and the conditions set out in Regulation 3(3)(a) has led to businesses being more confident that TUPE will apply to the outsourcing activities unless it fell within the exceptions. Whilst the requirements of Regulation 3(1)(b) and Regulation 3(3)(a) appear to be more straightforward than the multi-factored approach required under TUPE 1981, recent cases decided by the Employment Appeal Tribunal (EAT) indicate that the appeal courts are taking a literal approach to the interpretation of Regulation 3(1)(b) and Regulation 3(3)(a). This may seem obvious but before these cases were decided many held the view that Employment Tribunals will interpret TUPE in a purposive way so as to find that it applies so that the individual’s employment is protected by way of their employment transferring to the incoming service provider (as demonstrated by Employment Tribunal’s decision in these cases).

For example, in the case of Eddie Stobart Ltd v Moreman (UKEAT/0223/11/) the EAT held that on the question of “the organised grouping of employees” the employees had to be organised intentionally by reference to the requirements of the client and not by a mere consequence of their shift pattern. If there was no planning or deliberate intent by the employer that the employees should work for the client, then TUPE did not apply. Also, in the case of Tauras Group Limited v Crofts (UKEAT/0024/12) and Hunter v McCarrick (UKEAT/0617/10) the EAT makes it clear that the test set out in Regulation 3(1)(b) will only be met if the activities carried out by different contractors before and after the service provision change are on behalf of the same client. Therefore, if there was a change in ownership of the building (as in these cases) at the same time as the service provision change, then TUPE did not apply. Although in these cases Regulation 3(1)(b) did not apply they do not rule out the possibility that in some circumstances there may be a relevant business transfers under Regulation 3(1)(a) effectively going back to the multi-factorial test applied under TUPE 1981.

It will be interesting to see what proposals come out of the Government’s Call for Evidence and what revisions will be made to TUPE 2006. The Hunter case is also being appealed to the Court of Appeal, which may take a different approach. In my view, the service provision change definition should remain in place because it does provide a welcomed element of greater certainty than taking a multi-factored approach. However, there are clearly some grey areas where a review of the legislation would be welcome, such as whether TUPE should apply to the professional services industry and how it applies to split services where there are a number of providers. Recent case law is also a warning that, whilst TUPE 2006 provides increased certainty, it is not a guarantee that TUPE will always apply and companies should seek legal advice where there is a potential TUPE transfer situation.

Posted
By

Based on a 2011 Gartner study, numerous website and industry blog postings, and almost every executive I’ve spoken with, it seems that innovation continues to be lacking in outsourcing relationships. All companies want it, all providers promise it, and no one is happy with the actual results.

The study offers suggests three key steps for how to “contract” for innovation:

  • Define Innovation
  • Develop and Execute an Innovation Plan
  • Reward Innovation

So what’s behind these principles: Consider the following:

Defining Innovation: Think of this as a college essay – “what does Innovation mean to me?” Like other buzz words in outsourcing (all together everyone say “Governance”!), Innovation means different things to different customers and providers. Defining “Innovation” in the outsourcing contract helps to ensure that everyone is on the same page. (For an additional perspective on different types of innovation, refer to a blog by Douglas Parker: “Innovation in Sourcing Relationships – The Pieces and Parts“).

Developing and Executing an Innovation Plan: Once Innovation is defined and agreed, develop an “Innovation Plan”. If defining Innovation provides parties with the agreed destination, the Innovation Plan provides the roadmap for getting there. Outsourcing agreements should document and track Innovation initiatives – but this obligation should not be, and really cannot be, one sided. A provider cannot develop an Innovation Plan for a customer’s business without active participation by the customer. So make sure to craft the related contractual provision realistically – if the customer is not engaged and invested in the process, the Plan is unlikely to be relevant or achievable.

Rewarding Innovation: If Innovation is one of the primary drivers or objectives of an outsourcing strategy, then the customer will be well served by structuring the right incentives for achieving the objective. It is unrealistic to think that a provider will invest time and resources to “innovate” on a customer’s behalf without receiving some sort of compensation for its efforts. Thinking through how to create a “win-win” for both the customer and the provider is critical to having both parties committed to the innovation process.

But these three principles are really just an extension of the fundamental tenets of a successful outsourcing deal – mutually agree on expectations, track performance against the expectations and compensate the provider appropriately for providing a “service” (in this case, Innovation). So why is it that Innovation in outsourcing remains so problematic? In my experience, two factors persistently create roadblocks to Innovation in outsourcing contracts — the pricing model and the level of control retained by customers.

Road Block #1 – Ineffective Pricing Models: A common approach to pricing outsourcing contracts is to define the “cost drivers” and then develop a pricing model that compensates providers based on those cost drivers. However, when a provider is compensated based on such a pricing model, the incentive to Innovate may actually be reduced. Let’s take an example from the health care industry. A primary cost driver for a provider performing claims processing services are the personnel costs (i.e., man hours). An outsourcing agreement for these services might therefore commonly be priced on either an FTE basis or on a “per manually processed claim” basis, each of which in effect compensates the provider for the amount of time its personnel spend processing claims. Although there may be benefits of using one of these pricing models – namely that they provide flexibility to address fluctuating demand – neither one actually creates an incentive to innovate. If the provider is paid based some measure of the number of man hours or on the number of manually processed claims, why would that provider invest in innovative solutions that result in a higher auto-adjudication rate?

Road Block #2 – Too Much Customer-retained Control: A picture says a thousand words

Innovation Image.jpg

II laughed when I first saw this cartoon …. and then realized that this is exactly what happens in most outsourcing agreements! Over and over, customers say that they want Innovation, and then the same customers say (in the same breath, sometimes) that they want to be able to dictate, to varying degrees, how the provider will perform the services. Perhaps customers should ask themselves: “Which is more important to me, knowing and being able to control how the outsourced work is performed or being flexible and open to innovation that might provide me with significant improvements in performance or lower cost?” The more willing one is to be specific and strict on desired outcomes and flexible on the process to achieve these outcomes, the more likely that the provider can and (with the proper incentives) will seek innovative ways to deliver the services and meet the target outcomes. In the end, there is no simple formula or decision criteria for determining the right balance, but each deal and each customer should carefully consider the trade-offs and determine the right balance at the outset so that the deal is structured correctly.

To recap, I do not mean to suggest that Innovation cannot be an integral part of an outsourcing relationship. Indeed, it is often cited as one of the long-term strategic reasons for outsourcing in the first place (i.e., harness the innovation of providers with greater knowledge, focus, and skills in delivering these services). But I do think that experience has proven that customers, providers and sourcing advisors need to think a bit more critically (and dare I say, creatively) when structuring the solution and preparing contractual provisions in outsourcing agreements that foster Innovative behavior on both sides.

*Photo Credit:http://creativityandinnovation.blogspot.com/2009/05/innovative-thinking-guidelines.html.

By
Posted In: Industry Trends
Posted
Updated:

Posted
By

What does the ideal outsourcing procurement process look like from the customer’s perspective? It is a process that enables the customer to put in place a deal quickly and efficiently with a minimum of friction and achieves the customer’s business objectives.

How often is this ideal realized? Not often enough.

Why not? There are many causes, but one contributing factor we frequently see is a bifurcation of the procurement process into a “consulting” phase and a “legal” phase.

In this flawed model, the “consulting phase” runs from development of a sourcing strategy through selection of a preferred supplier. This phase is typically led by an outside consulting firm retained by the client with most of the RFP and related documentation being prepared by the consultants based on their templates. Legal counsel has limited involvement in this phase.

After selection of a preferred supplier, the transaction moves into the “legal phase” in which the attorneys are brought in to hammer out the contract. During this phase, the consultants start to wind down their efforts (or start working to assist the client with transition planning) while the attorneys assume a lead role in handling much of the negotiations.

The “hand-off” that takes place between the consulting phase and the legal phase often results in a significant amount of re-work as the attorneys attempt to “contractualize” the substance of the RFP and proposal documentation and the results of the parties’ discussions during the consulting phase. This can result in significant delays, contention, mistrust and frustration as new issues are brought to light, new requirements are introduced and ambiguities are identified. To the supplier, it can seem as if the client is adding substantially more risk to the deal. To the client, it can seem as if the supplier is backtracking on commitments made in its proposal.

So what is the answer? To borrow a term from the financial world, “straight-through processing” or “STP.” When applied to an outsourcing procurement process it means that the RFP and other material created during the early stages of the process are constructed to flow smoothly into the final contract documents. Just as STP in the financial world is designed to optimize the speed at which transactions are processed and reduce errors, STP in outsourcing procurement is designed to make the process quicker, more efficient and produce better outcomes.

How is STP achieved? The key is integrating the “consulting” and “legal” resources throughout the entire procurement process. Every aspect of an outsourcing transaction that will ultimately be reflected in the final contract documents has both a “consulting” and “legal” component. This includes the scope of services, service levels, pricing, transition / transformation, and contract terms and conditions.
Consultants can provide technical and project management expertise, industry knowledge and financial modeling skills. Attorneys can provide an understanding of how the technical, financial and other aspects of the transaction need to be integrated into the final contract and the drafting skills to articulate the client’s objectives and requirements with clarity and precision.

Rather than dividing an outsourcing procurement between “consulting” and “legal” phases, clients would be better served by having a team of “advisors” that has integrated the consulting and legal skill sets. The integrated team of advisors would collaborate to achieve straight-through processing by constructing the RFP and other material to flow smoothly into the final contract documents. The advisors would continue to work together as an integrated team throughout the entire procurement process, including supplier evaluation / selection and negotiations.

This high level of integration will avoid the “hand-off” problem described above, leading to a faster, more efficient procurement process with better outcomes. Properly executed, It will also reduce the overall advisor cost of the deal.

Posted
By

Getting to the right price. If not the primary objective, it’s certainly one of the more important goals of any customer who has ever outsourced a piece of their operation. While striving for the lowest price possible, in order for the transaction – and long term relationship – to be successful, it must be beneficial to both parties. If a customer negotiates a supplier below the point at which they can make money on the service, there will be problems with that relationship. It might take a little while for them to surface, but surface they will.

One of the longstanding precepts of pricing in the sourcing world is to maintain, as closely as possible, a linkage between the underlying cost of providing the service and the price being charged for that service. No customer should begrudge their supplier making a reasonable profit, for without a fair return on their work, it is unlikely the supplier will be there in the future to support the customer. Hence, if the costs of providing the service plus a fair margin are equal, in as many cases as possible, to the price being paid by the customer, then the chances for a long, happy and productive relationship between the customer and supplier are good.

This does not mean that one should strive for a “cost plus” arrangement. On the contrary, that pricing paradigm comes with its own set of challenges. What this does mean is the price should be closely linked to the underlying cost of providing the service. An O/S image support charge is directly attributable to the labor and maybe some productivity tools that are used in the delivery of that server’s support. Conversely, the charge for a gigabyte of data streamed to a tape has no linkage to the underlying cost of providing data backup services.

Just a few weeks ago in Outsourcing Pricing Models: Recent Trends and Ever-Important Considerations we discussed an article from CIO Magazine that highlighted a trend in the industry to explore different pricing models. Customers are always looking for new ways to manage the cost of technology and commodity business functions and better align them with their lines of business. This is not a new concept and has been evolving for some time. In another example, about 18 months ago the Outsourcing Center assembled a panel of industry experts to discuss different approaches to pricing (see Outsourcing Experts Discuss New Flexible Pricing Models).

A desire for output based pricing is a common objective for customers seeking alternative pricing structures. An insurance company wants to pay by the number of claims processed; a payables department wants to pay by the number of checks written or invoices processed; etc. When trying to achieve these type of billing metrics, the buyer must not forget the still relevant principle discussed above (cost + margin = price). The challenge often encountered with these output-based pricing metrics is getting to an objective, measurable and agreed-upon cost basis for each of the output events. Sometimes there is a direct correlation between output and cost and in those cases, output based pricing is probably the right way to go. But sometimes the parties try to take the concept too far and bundle in costs that have nothing to do with changes in the volume of output. In those cases, there is often a hidden trap that catches either the client (through higher than necessary fees) or the supplier (through margin shrinkage or even loss).

The buyer of sourcing services should use caution when pursuing these types of pricing strategies in the absence of good historical metrics on the underlying cost structure. Suppliers try to give the customer what they want in as many cases as possible. If asked for an evolutionary pricing metric, most suppliers will try to accommodate the request. However, they will also ensure they are protected. When faced with a request to price for an unknown risk (e.g., if the underlying costs of a particular metric are not inherently clear), the supplier will mitigate that risk with either contingency funds, increased margin, or both. The customer may get the new billing metric they were after, but they may also end up overpaying for the service.

In summary, regardless of whether you are pursuing input-based, output-based or even a more revolutionary pricing metric, the underlying principle of cost + margin = price should be respected as a fundamental reality to supplier pricing. This should ensure you don’t overpay for the service and that your supplier earns a fair margin on their work. Both are necessary for a successful outsourcing relationship.

Posted
By

Change is hard. Big change is harder. And big change in big companies is extremely hard.

So it is not surprising that when it comes to large outsourcings, the amount of change can be a deal-killer. The friction costs of outsourcing can result in hurdles that are just too high to overcome – even for deals that ultimately produce significant savings and that clearly would be in the best interests of the company.

These friction costs of moving forward with an outsourcing transaction go well beyond the obvious “hard” costs of the service provider’s transition charges and cost of severance. The “harder” friction to overcome includes:

  • Internal organizations’ inertia and protection of their turf (let alone people protecting their jobs),
  • Lack of consensus and committed leadership within the company,
  • Limited resources and time to engage in an effective outsourcing strategy and process, and
  • Institutional knowledge that is not easily transferable to a service provider.

In the end, these frictions often lead to decisions not to outsource and instead to retain the status quo (or something as close to it as possible) because the sourcing becomes just too large of a jump for the company to make. This friction is exacerbated in companies that are larger, more mature and have become set in their ways – especially when those ways are inefficient and hard to reverse.

One way companies can minimize the frictions, if not avoid many of them altogether, is to consider outsourcing as early as possible in their corporate life cycles.

As new companies rise and grow, there are countless opportunities to source functions, including many that did not exist when today’s long-standing companies were at a similar stage in their life cycles. More and more sourcing providers are offering services, often built around software products, that cater to the needs of these early stage companies. Many of these sourcing providers are start-ups themselves; and many others are companies with a long history of outsourcing that are taking a renewed interest in smaller companies to capture future market share.

There are challenges to leveraging outsourcing in early-stage companies. For one, outsourcing may be counter to the start-up mentality that some of the smaller but fast growing companies encourage and depend on from their personnel. In addition, the benefits may not be immediate – in fact, the near-term business case may be upside down at a time when company finances may be scarce. Last, outsourcing may feel like a giving up of control, which is hard for small companies to do…especially by their founders and early employees.

But it is critical that early-stage companies take a longer term view, and at least evaluate the benefits that outsourcing may bring over time. For example;

  • Outsourcing can give the company more scalability than it would have in managing the function internally.
  • Outsourcing should bring some discipline and controls, which will be more critical – and harder to implement – as the company matures.
  • Once outsourcing becomes part of the company makeup, other outsourcings will be much easier to do successfully.
  • As highlighted in the beginning of this post, the friction costs – both real and perceived – will only get worse over time.

Early-stage companies typically focus on their revenue growth plans and customer-facing strategies. But they also need to focus on a long term operational delivery strategy, and outsourcing or even just “out-tasking” should be an early consideration. Failing to do so can lead to some missed opportunities and difficult challenges in making changes later down the road.

Posted
By

The U.S. Department of Defense, General Services Administration and the National Aeronautics and Space Administration (NASA) have issued a proposal to amend the Federal Acquisition Regulation (FAR) implementing Executive Order 13495 , which will require government contractors that take over service work from other companies to offer jobs to certain categories of the predecessor’s employees.

The presidential order is intended to aid procurement efficiency and mitigate transition risk by preserving the service continuity of the predecessor’s employees, if the contract is awarded for the same or similar work in the same location. There are many similarities with the long standing protections offered to citizens of the European Union, whose jobs are protected in certain circumstances by the Acquired Rights Directive (ARD). Under the ARD, an employee’s job is safeguarded by requiring a successor contractor to hire the employee from its predecessor on substantially the same terms and conditions (e.g., salary, benefits, years of services) as the employee enjoyed with its predecessor. Notably, the ARD applies to private sector outsourcing transactions, not just to government contracts as is the case under the proposed FAR regulations.

For any company that has sought to outsource its IT or BPO functions on a global basis, the implications of the ARD are impossible to ignore. It requires suppliers to conduct substantial due diligence on the customer’s HR policies and personnel before signing an outsourcing deal, and to make offers to its predecessor’s employees as opposed to using its own employees to perform the services. As a result, the supplier must factor the cost of hiring the new personnel into its solution, and in turn, pass that cost back as a charge to the customer. Although the consequences vary from country to country, ARD non-compliance violations can result in hefty fines for both customers and suppliers as well as potential criminal liability for certain breaches of consultation requirements in countries such as France.

Although the proposed FAR rule may have the same flavor as the ARD, it is unlikely to prove to be nearly as restrictive as the ARD. There are significant exceptions to the rule, including:

  1. it does not apply to services contracts valued at less than $150,000;
  2. a successor contractor may elect to employ fewer employees under its contract in order to provide the most efficient performance;
  3. managerial positions are exempted from the rule; and
  4. an agency may waive the application of the rule if it would impair the Federal Government’s ability to procure services on an efficient and economic basis.

The ARD has its own set of carve outs, but those carve outs are not nearly as generous as the exemptions provided above. In a recent article in Law360, Dietrich Knauth suggests about 15,000 service contracts will be subject to the proposed rule annually. It will be interesting to see how often agencies will seek to rely on exception (4) to preserve the economic efficiency of their service contracts.

Is this the start of a trend toward increased job protection by the United States? Will we see more of these types of regulations, and it is possible that such regulations could bleed into the private sector? If the laws of the European Union can be used as guidance, then the answers to such questions will have a major impact on the savings and solutions that suppliers are able to offer customers in second generation outsourcing arrangements.

Posted
By

A key finding in the Trustwave 2012 Global Security Report is that in 76% of data breach investigations a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This should concern any company that outsources the processing, storage or transmission of personally identifiable information (PII) to suppliers of IT or business process outsourcing services.

With the average cost of a data breach in excess of $5 million and the associated reputational risk, outsourcing customers should review their contracts to ensure they contain appropriate commitments and accountability from the supplier with respect to data security. Below is a brief outline of some of the key provisions that should be part of an outsourcing agreement.

Supplier Commitments: Suppliers should commit to the following:

Data Security Program – To maintain a comprehensive program with appropriate safeguards, procedures and controls for the protection of customer data. The customer should have the right to periodically review the program and audit supplier’s compliance with the program and other contractual requirements.

Legal / Regulatory Compliance – To comply with all existing and future data privacy and security laws applicable to the services. This commitment should include compliance with laws imposed on the customer for which the customer is dependent on the supplier’s performance to remain in compliance. If the supplier will handle personal health information (PHI), a HIPAA-compliant business associate agreement should be made part of the contract.

PCI DSS Compliance – To comply with PCI DSS requirements / guidelines and maintain PCI certification at the appropriate level (e.g., Level 1 Service Provider) if payment card information will be handled by the supplier.

Customer Policies – To comply with the customer’s written policies and procedures relating to data privacy and security, as they may evolve and change over time. In the event that a change to the customer’s policies would require the supplier to incur material additional costs, it is reasonable for the supplier to seek additional compensation for compliance (provided the supplier is not otherwise obligated to make the change based on other requirements of the agreement).

Industry Standards – To comply with the standards and practices embodied in ISO/IEC 27001 and 27002, and other relevant industry standards, as they evolve and change over time.

Location of Customer Data – To process, store and transmit customer data only in jurisdictions authorized by the customer. In light of restrictions in the EU and elsewhere on trans-border flows of PII, the customer may want to set a default rule in the agreement that prohibits the supplier from transmitting PII outside of the jurisdiction of the affected individual absent the customer’s prior written approval.

Access / Use of Customer Data – To use customer data solely to provide the services under the agreement and to limit access to customer data to supplier personnel and subcontractors on a “need to know” basis.

Supplier Personnel / Subcontractors – To perform background checks on supplier and subcontractor personnel and provide appropriate training on security compliance. The supplier should assume responsibility for any failure of supplier or subcontractor personnel to comply with the requirements of the agreement regarding PII and other customer data.

Encryption – To encrypt PII using industry standard encryption technologies (or as otherwise directed by the customer) in connection with the transmission or storage of PII.

Breach Response – In the event of a data security breach to:

  • Immediately notify the customer upon discovery;
  • Investigate the root cause of the breach and present written findings to the customer;
  • Remediate the underlying causes of the breach; and
  • Fully cooperate with the customer in responding to the breach.

The customer should have the right to control the response to any security breach involving PII, including notifications to affected individuals, credit bureaus and governmental authorities.

Supplier Accountability: Suppliers should have a high level of accountability under the agreement for any failure to meet their commitments relating to data security, including the following:

Cost of Breach Response – Reimbursing the customer for all reasonable costs incurred by the customer in responding to a data security breach for which the supplier is at fault, including:

  • Forensic and investigative costs;
  • Legal expenses;
  • Fines and penalties;
  • Compliance with breach reporting laws and industry standards organizations (e.g., PCI), including notices to affected individuals, credit bureaus and governmental authorities;
  • Credit monitoring services;
  • Call center support; and
  • Other measures required by applicable law or that are customary at the time of the breach.

Indemnification – Indemnifying the customer for any third party claims or actions arising out of any breach by the supplier of its data security related obligations. For claims involving improper use or disclosure of PII, the customer should consider negotiating the right to retain control of the defense of the claim.

Liability Limits – Ideally, agreeing to unlimited liability for breaches of its data security commitments or, at a minimum, a limitation of liability framework that will enable the customer to recover a substantial portion of the losses it is likely to occur in the event of a data security breach for which the supplier is at fault. Some possible approaches to this issue are discussed in a previous SourcingSpeak blog posting: Are You Protected When Your Suppliers Lose Your Data?

Termination – Accepting the customer’s right to terminate the agreement for cause if the supplier commits a material breach of its data security obligations. The customer should not have to wait until there is a security incident or afford the right to cure the breach before terminating.

If your outsourcing agreement is missing some of the important protections described above, you should consider negotiating more favorable terms with the supplier at the next available opportunity.

Posted
By

Starting on 26 May 2012 the UK Information Commissioner’s Office (“ICO”) will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU’s Privacy and Electronic Communications Directive (the “E-Privacy Directive”) back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is “strictly necessary”). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.

Practically speaking, those using cookies, including US operators targeting Europe (which is often overlooked), will need to take immediate steps, if they have not already, to ensure they do not fall foul of the law and face the consequences of non compliance (a “do something” enforcement notice from the ICO or potentially a fine of up to £500K. Ouch!).

So what should you do before 26 May 2012?

1. Conduct an audit: Confirm what cookies are in use and what exactly they achieve (both your own and those of a third party).
2. Determine if exceptions apply: Consider whether an exception to the “opt in” rule exists (i.e. is a particular cookie “strictly necessary”?) Be cautious, however, as this exception is construed very narrowly. For example, guidance suggests that the “strictly necessary” exception applies only (1) where cookies remember the goods a user has put in a virtual basket, (2) for cookies providing essential security to comply with privacy law and (3) for cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.
3. Assess how intrusive each cookie is: This will dictate the “level” of consent required for each cookie.

Recent guidance from the UK ICO makes it clear that there is no “one size fits all” when it comes to obtaining valid consent and that relying on any form of implied consent via use is fraught with difficulties. Although the door appears to have been left open for implied consent in ICO guidance, it appears that this form of consent will only pass muster if a website operator is completely transparent as to the cookies in use and a clear notice is given to a user from the outset.

Any cookie used for analytical purposes or advertising, or which recognises a user so that a website can be tailored, should be approached with a great deal of care.

Website operators who have not considered the impact of these changes are advised to do so as a matter of urgency. You have been warned!

Posted
By

In previous blogs in September/October 2011 (Supplier Selection; Contract Negotiations; Relationship Management) I offered practical tips on how to manage and mitigate some of the risks that arise throughout the life cycle of a typical outsourcing. These risks may arise during the supplier selection process, in the course of contract negotiations or during the implementation and day to day operation of the outsourced services. In this final chapter on managing risks in outsourcing I will focus on exiting from an outsourcing contract.

The exit from an outsourcing deal gives rise to a variety of different risks for a customer, particularly an exit following termination due to the supplier’s default or termination for convenience by the customer.

Common risks which you may face as a customer upon exiting an outsourcing contract include:

  • disruptions or discontinuity in the supply of the services to your organization,
  • significant and unplanned costs,
  • loss of critical assets, software, know-how or other intellectual property,
  • delays in the exit process,
  • damage to your reputation,
  • unauthorized disclosures of your organization’s confidential or commercially sensitive information or data,
  • being locked into specific but inflexible exit arrangements,
  • loss of critical staff, and
  • poor or insufficient termination assistance being provided by the exiting supplier.

To the extent feasible, you should address these risks at the outset of the outsourcing. Exit planning should not be left until a termination is imminent, as suppliers will have little motivation or desire to be cooperative and agree to customer-favorable terms at that point, particularly if the relationship has deteriorated.

Exit plan
Although the comprehensive exit plan often is produced after the outsourcing contract is signed (as it may not be practicable to prepare the exit plan in detail at the outset), the principles and content of the plan should be specified in the outsourcing contract.

The exit plan should cover:

  • continued provision of the services for the duration of the termination notice period or the run-off to expiry and, if necessary, for a transitional period afterwards;
  • the supplier’s obligation to provide information (knowledge transfer) relating to the services to your new supplier or you if the service is to be brought back in-house;
  • terms addressing the transfer or licensing to you or your new supplier of assets, software, know-how and other intellectual property rights used by the existing supplier to deliver the services to you;
  • transfer of records prepared or data collected by the existing supplier in connection with the services to you or your new supplier;
  • transfer of relevant third party contracts to you or your new supplier;
  • treatment of the existing supplier’s employees who are in scope;
  • a process by which the supplier will provide reasonable assistance to you in connection with a re-tender of all or part of the services upon exit, and
  • general assistance and co-operation between you and your existing supplier.

The exit plan should be reviewed regularly and updated to reflect any changes to the services that occur during the term of the outsourcing contract.

Existing supplier appoints a suitably qualified exit manager
Just as you would in respect of transition at the start of the outsourcing relationship, you should require the supplier to appoint a suitable exit manager to oversee the supplier’s compliance with exit terms and act as your liaison during the termination and exit period. Given the criticality of this role, you may wish to have the right to approve the exit manager.

Some particular issues that you should address at the time of negotiating the outsourcing contract so as to facilitate a smooth exit include:

Express right to continue to receive base services
The outsourcing contract should include an express right for you to continue to receive the base services for a reasonable period after the expiration or termination of the outsourcing contract. This will enable you to continue to receive the services if the transition of the services to a new supplier or in-house does not go to plan. Ideally, the supplier should be required to provide those services at the same level of quality (i.e. service levels) required under the outsourcing contract. You also should remain free to terminate the base services at any time upon notice.

Maintain comprehensive and up to date asset registers
While an exit plan would usually require the supplier to transfer to you an agreed list of equipment that it owns and uses for the services, that transfer becomes problematic if that equipment cannot be identified. This issue is potentially more complex where equipment to be transferred is commingled with shared infrastructure to be retained by the supplier. To reduce these risks the supplier should be required to maintain comprehensive and up to date asset registers during the course of the outsourcing contract. You should also give careful consideration as to what will happen with shared infrastructure when the outsourcing contract is terminated, particularly in relation to third party contracts which support this infrastructure.

Transfer of third party contracts
It is not usual for suppliers to have entered into third party contracts in connection with the provision of services. Some of these will be required by the customer or its replacement supplier following exit. The transfer of third party contracts is often contentious, but with some planning many of the problems that might arise can be avoided.

For example, you should:

  • as with assets and equipment, ensure that all third party contacts can be easily identified and that a contracts database is established and maintained during the course of the outsourcing contract;
  • require the existing supplier, when first entering into the third party contract, to make sure that the terms of those contracts include provisions that permit transfer upon exit and that there are no unreasonable provisions relating to such transfers to you or a new supplier;
  • work with the existing supplier to coordinate the communication process with third parties as there will be issues about confidentiality which should be addressed proactively; and
  • allow sufficient time in the exit process to obtain relevant third party consents and to implement the transfer of the relevant third party contracts.

Agree upfront who owns the developed intellectual property rights
During exit the ownership and use of intellectual property developed by the supplier during the course of the service provision can be a contentious issue. Who should own intellectual property in developments, the scope of any licences (such as whether they are perpetual or limited to internal business purposes of the customer, whether any licensing fees apply after exit) are matters for negotiation and should be agreed up front and not left until exit.

As with assets, equipment and contracts, it is important to identify what rights are to be the subject of the ownership or license discussions. Suppliers often fail to record adequately what they have developed. This issue can be avoided through effective contract management during the course of the outsourcing contract, in particular, by defining and recording what has been created by your supplier during the course of service provision.

Costs of exit
One of the most contentious area of exit is costs. The different types of costs or fees, when they will be payable and whether they are factored into the agreed pricing model, should be identified to avoid disputes and surprises at termination.

An outsourcing can be a complex transaction to negotiate and the different scenarios for exit can be difficult to document. However, anticipating these complexities and their associated risks at the outset and addressing them in the contract and through appropriate contract management can mitigate the risk of a contentious and unmanageable exit from the outsourcing contract.