New business regulations often cause admin headaches for companies, and the enforcement of the Protection of Personal Information Bill is no different. The stringent requirements on companies to closely guard all personal details given to them by customers has led to many hassles with outsourcing certain business functions involving clients.
"Due to the sensitivity of client data, businesses that actively outsource their IT will be faced with changes to operational, financial and legal practices once the new Protection of Personal Information Act (POPI) comes into effect," says Global Micro MD JJ Milner.
Outsourcing growth
Worldwide and in SA, outsourcing remains a robust industry. IT is still chief among the business functions commonly outsourced ? Deloitte's 2014 Global Outsourcing and Insourcing survey puts IT outsourcing at as much as 60% penetration worldwide. And with the acceleration of tech innovation, it's no wonder why ? companies that aren't solely dedicated to technology can't keep up with the rate of change on their own, and outsource their technical work to companies with a far better track record.
This year's 2014 Grant Thornton Outsourcing survey showed almost half (48%) of local businesses admit to outsourcing their business processes, and of those, 73% say they've outsourced their IT functions to a third-party service provider.
Many predicted that 2014 would see IT functions brought back in-house, says Milner, but SA's protracted economic lag meant the cost benefits of outsourcing were a much needed relief for many.
With IT budgets continually trimmed to the bone, tech outsourcing is gaining critical momentum in the South African market, Veeam Software's regional manager Warren Olivier says. He points out that many local companies are moving to an opex (operational expenditure) business model. "Add to this the widening gap in IT skills, and it's obvious why third-party providers that can provide high-level strategic guidance and services are in such great demand," he says.
"We've certainly seen an uptick in conversations about outsourcing with local clients," says Desigan Naidoo, managing executive: consulting at Logikal Consulting. "It's well known in the market that outsourcing is very economical in SA, and organisations considering outsourcing have seen early adopters reaping the benefits, so now many are exploring the various models available," he says.
So where does POPI leave this booming industry? The Deloitte survey seemed to indicate that increased regulations related to data privacy are expected to reduce organisations' reliance on outsourcing as a business model, but this isn't necessarily the case.
Some have expressed concern that the legislation would lead to a decline in IT outsourcing across SA because of the extra costs and hassle involved with entrusting customer data to a third-party service provider, but Veeam's Olivier says what some see as a headache is really a good opportunity for those resourceful enough to take advantage of it. The new legislation could lead to a whole new branch of anything-as-a-service offerings: compliance as a service. "Clients want to be able to shift the blame, because compliancy can be so complex, and there will be companies willing to do that," he says.
Positive impact
Many in the local industry agree that POPI will likely increase outsourcing uptake. As Murray Steyn, executive head: commercial at Vox Telecom says, tech outsourcing could see a boost as organisations realise they may not have the skills in-house to deal with the requirements of the new legislation, and may need to bring in experts to assist them in becoming compliant.
Logikal's Naidoo reiterates that POPI enforcement won't stifle the outsourcing trend: "If anything, it may fuel the outsourcing conversation, because it presents an opportunity for service providers to offer a value-added POPI-ready service to clients, which will ease the challenge of compliance and add a new aspect of competitiveness."
Companies cannot be expected to know the ins and outs of this new law, so outsource to legal and IT specialists.
Murray Steyn, executive head: commercial, Vox Telecom
Global Micro's Milner argues that POPI will lead to avoidance, so outsourcing service providers may be called in for damage control before too long. "Companies are going to find ways to avoid regulatory obligations, rather than keeping by them. People are putting off major decisions due to POPI, and will be looking for service providers sophisticated enough to take over the responsibility if the problem escalates."
Naidoo agrees organisations can choose to avoid the uptake for some time, while they wait to learn from early adopters. "However, they run the risk of executing intensive transformation strategies against the clock, at a much higher financial and reputational cost."
POPI is not without its downside, though, as Milner explains: "IT outsourcing could add a level of red tape and potentially slow down the agility and speed at which cloud services can be consumed."
Incorporating POPI
According to Milner, advancements such as cloud computing and business-process-as-a-service are set to promote the use of outsourcing.
Steyn concurs: "Many companies outsource a portion or all of their IT because the fast-moving nature of technology means they find it difficult to stay up to date with current trends."
Olivier believes POPI will make service providers more cautious about the technology they offer to clients. "Making sure data is protected, recoverable and can be accessed by the client will all be main concerns," he says.
According to Milner, the implementation of POPI holds organisations entirely accountable for the protection of the personal information of the various entities they engage with on a daily basis, even when that information is being transferred to outside parties for processing or storage. "And this responsibility now has to move beyond a 'promise' of data privacy, as the new regulations demand compliance around what data can be obtained, how it's used and kept up to date, among other things."
It's well known in the market that outsourcing is very economical in SA.
Desigan Naidoo, managing executive: consulting, Logikal Consulting
He believes POPI will result in additional administration for the service providers with sound governance, but this is essential should organisations want to promote performance and compliance.
"Service providers able to be offer clients services complying with POPI will be ahead of the game," he says.
The enforcement of POPI is a watershed moment for the IT outsourcing business model, according to Naidoo, as organisations will have to re-examine service level agreements and governance, and amend systems, processes and policies in order to comply with the legislation.
Steyn advises companies to be proactive about complying with POPI. "Once it becomes effective, companies will have a year (possibly longer) to become compliant with the Act's requirements. It will allow time to put the required safeguards in place," he says. "To achieve this, bring in the experts. Companies cannot be expected to know the ins and outs of this new law, so outsource to legal and IT specialists."
"The only way businesses can overcome the regulatory challenges is learning how to adapt to meet these requirements. Change can be refreshing," Olivier concludes.
Share