The Pros and Cons of Internal vs. Outsourced Information Technology and Data Privacy Management

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

March 01, 2017
Outsourcing
Sean Cox, CIPP/US

©2017 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.
 

 


According to a 2016 global survey by Deloitte, data privacy was the No. 1 legal and regulatory concern respondents identified as tending to make them reduce outsourcing. As the effective date of the European Union’s General Data Protection Regulation (“GDPR”) looms, business leadership should take an opportunity to evaluate or re-evaluate their information technology structure with a particular focus on data privacy and security.

Once the GDPR goes into effect the data privacy requirements will be greater and the stakes higher than ever. Hotels and other businesses catering to customers from the European Union will be affected and should be carefully planning for its implementation. There are many options for businesses to manage their data privacy program, but a first step should be to weigh the advantages and disadvantages of an internal data privacy program versus outsourcing, and the particular safeguards that are required for the latter.

Full advent of the GDPR is currently scheduled for May 25, 2018. The GDPR has already been the subject of wide commentary, and it is understood that it will change the face of information technology and data privacy management for businesses regardless of where they are based or their industry. The GDPR contains many provisions, some very detailed, but at least a few general provisions should be considered when choosing to manage data privacy internally or outsourcing the responsibility. Notable provisions relate to cross-border data transfers, data security assurances, and controller/processor relationship. The stakes involved in these calculations can't be overstated. The potential penalties in the GDPR can be up to 4 percent of a company’s annual worldwide turnover. While the GDPR is the most visible manifestation of data privacy law, the laws of many other countries and states, and the risk of litigation, call for a similar analysis.

The options for hospitality companies of all sizes to outsource their information technology and data privacy management are nearly endless. Consulting firms, accounting firms, law firms, network security, and other information technology companies offer a broad range of services – ranging from limited system management monitoring or cloud storage to fully bespoke systems designed, maintained, and managed by the vendor. Such systems can be tailored to provide a myriad of services – booking, customer marketing data and analytics, payments, HR, supply chain management, and others.

Outsourcing options, from least to most comprehensive, are typically described in terms such as colocation, dedicated hosting, managed services, and cloud services. Colocation typically describes a company using its own equipment and personnel in a shared data center. Dedicated hosting vendors typically provides the facility and hardware, while in managed services, the company owns the equipment but the vendor provides various services, such as database management, security, or network maintenance. Finally, a cloud services vendor will likely provide comprehensive infrastructure, maintenance, security, and software. A first step is to review commonly outsourced functions and solutions to analyze the best fit for the budget and needs of the company.

 

Pros and Cons
A one-size fits all analysis is impossible in the scope of a single article. However, it is possible to discuss important issues that should be considered in light of the unique situation of each company.

Generally, the factors that recommend outsourcing include cost, technical capability, speed of implementation, scalability, and expertise. In comparison, managing data privacy internally typically provides better control, better understanding, more flexibility, and a closer fit between the privacy program and the hospitality business's goals.

Information technology and data privacy vendors have the advantage of specialization. This is what these vendors do. Economies of scale permit vendors to spread fixed costs over many customers, while hospitality companies can focus on their core business. Specialization also allows the vendors to offer more sophisticated technical services and expertise that are simply outside the budgets of most hospitality companies to develop on their own. Most vendors will have already developed their infrastructure and technical capabilities, allowing companies to quickly adopt ready-made information technology and data privacy systems without any lag time for development. Scalability, or the ability to quickly scale capacity up or down depending on needs is an inherent benefit of utilizing established vendors. For example, an outsourcing vendor would likely be better able to quickly provide data collection, storage, and analytics capabilities to support an experimental marketing efforts to identify new customers in new markets. Scalability can help hospitality companies try new, analytic or hardware intensive programs without worrying about high initial infrastructure outlays.

On the other hand, outsourcing any of these roles requires a hospitality company to give up significant control of critical systems. In today’s economic environment, hospitality companies cannot function without their information technology, and as already discussed, the consequences of poor data privacy management are huge. Regardless of the safeguards put into place, an outsourcing relationship must be based upon some level of trust, whether due to past relationship or reputation.

Regardless of how sophisticated the vendor and regardless of how close the client/vendor relationship, it is unlikely the vendor will ever understand the client’s business needs and goals as well as the client does. A full understanding of a company’s data collection, use, storage, and destruction is the first and most important data privacy function. In today’s agile economy those policies can change in an instant. Failure to communicate to the vendor or the vendor’s failure to fully understand every facet of a company's data collection and use may cause serious violations of company privacy policies or legal requirements.  When handled internally, data privacy decisions can be made hand-in-hand with the hospitality company’s business decisions, each supporting the other. Ideally, every major business decision would be made after considering potential data privacy issues. When data privacy is handled internally, such collaboration is much easier and more likely.

Beyond general concepts, there are two commonly outsourced functions that should be examined with some additional detail, the data protection officer and cloud storage.

 

Data Protection Officer
Since data privacy and security concerns first began to gain recognition, having a single person responsible for data privacy and security has been good business practice, but it is quickly becoming a legal requirement. One of the clearest requirements of the GDPR is the appointment of a Data Protection Officer (“DPO”). According to the GDPR, the role of an organization’s DPO, laid out in Article 39, is to provide legal and technical guidance for the entity, monitor the company’s compliance, and coordinate with the relevant regulatory authorities. As businesses prepare for the implementation of the GDPR, one of the first steps is to determine how the role of DPO should be filled.

There is no requirement in the GDPR that the DPO be an employee of the organization. Already there is a burgeoning industry offering to provide DPO services to other businesses. Law firms, consulting firms, IT security firms, and others are already offering these services. The skills required of a DPO are varied and high-level. A proper DPO should have access to high-level management, should be knowledgeable of the company’s business, information, and data practices, and should be knowledgeable in both the relevant regulatory and technical aspects of data privacy. For example, for a company operating a chain of hotels, a DPO would likely need to have access to C-level managers, understand the various aspects of the business, be knowledgeable of the relevant law of the places where the company operates hotels and markets itself, and understand the chain’s IT systems. Considering these requirements, it is unsurprising that many enterprises have had difficulty filling this role internally.

The most obvious benefit to outsourcing the DPO role is simplicity. The International Association Privacy Professionals analyzed the GDPR training market and estimates that it takes approximately 21 hours of training simply to obtain the most basic understanding of the GDPR in order to function as a DPO.  Professional DPO servicers have a depth of experience working with and responding to regulators that is simply not obtainable for the typical in-house DPO. It is hoped that the typical in-house DPO would only have to perform these functions very rarely. For small, single property Hotels or other hospitality companies with only minimal contact with the European Union who do not already have an officer focused on data privacy, a modest outlay for an experienced DPO providing the minimum services may be the best option rather than incurring the cost of an single-purpose employee or burdening other employees with additional duties. A poorly prepared DPO may be worse than none by creating a false sense of security.

On the other hand, many organizations, especially those hospitality companies with properties in the European Union or serving significant numbers of its citizens, may consider having a dedicated DPO in-house. First, in today’s legal and regulatory environment, having a high-level employee dedicated to, or at least ultimately responsible for, data privacy and security issues is just good business practice. Second, an internal DPO should understand the company and its business processes far better than any outside entity could. The internal DPO should be intimately familiar with what data the company collects, how and where it is stored, how it is used, when it is deleted, and the safeguards in place. This is knowledge unlikely to be fully understood by external DPO vendors. Due to the importance of the DPO position, if budgetary and personnel constraints make it feasible, the role should be handled in-house.

 

Cloud Storage
The cloud has opened up incredible new options for data storage and access. Putting data on the cloud has the benefits of sharing resources over geographically disparate locations, allowing mobile access of data, and alleviating some back-up concerns. Typically, a vendor will host a company’s data and provide methods for users to access this data through the internet. For hospitality companies that operate geographically diverse properties or have employees who require mobile access, the cloud has become an almost necessity. However, the cloud creates two very important data privacy issues to consider.

One of the greatest benefits of cloud computing is the ability to access data through the internet from just about anywhere. However, this benefit comes with significant data privacy risks. Mobility and remote access is one of the primary sources of security concerns. Mobility increases the surface area of a company's network, creating additional access points that can be compromised. It also reduces the effectiveness of physical security measures. It is much more difficult for a bad actor to access data that can only be physically accessed from within a company's office. Any procurement discussions for cloud services must include thorough review of the vendor's technical and procedural security.

The second concern should be determining geographically where the data will be sent or stored. To most companies it is obvious that the data privacy law of locales where they actually operate will apply. Likewise, most companies understand that by serving or targeting citizens of certain countries, the company may also be subject to those countries’ laws. What is less obvious is that the laws of the locality where the data is actually housed will likely apply. Even a hotel chain operating entirely within the United States may be subject to the European Union’s GDPR requirements if its cloud service provider stores the company’s data in a data center located in a European Union member country. Without knowing what laws may apply it is impossible to properly weigh compliance risks. Before going to the cloud a company must ask the question of who operates the data center. It may not be the same vendor with whom the company contracts, and may not have the same good reputation. Where the data goes is a critical question that must be asked prior to outsourcing.

 

Considerations
After The Decision Is Made To Outsource

Outsourcing data processing or data privacy functions does not relieve a hospitality company of its legal responsibilities or the risks related to that data. The GDPR, the U.S. Federal Trade Commission, and many other laws from states and national governments are clear that an enterprise is responsible for ensuring that its vendors are complying with the relevant data privacy and security requirements.

Under the GDPR, there are controllers (owners of data) and processors (vendors who provide data services on behalf of the controllers). While they may use different terms, these concepts are common in most data privacy laws and regulations. Generally, controllers remain responsible for their processors, and must ensure the processors are complying with data privacy laws and regulations. If the decision is made to outsource any aspect of information technology or data privacy it is incumbent on upon the enterprise to make assurances that the service provider is complying with relevant laws and regulations and the company’s own privacy policies. There are several ways companies can exercise some control over their vendors and otherwise mitigate the data privacy risks of outsourcing.
 
The first and likely simplest way to ensure compliance is by retaining reputable vendors. There are a number of industry certifications vendors may obtain to communicate that it meets a certain level of data privacy, security, and protection. Common industry certifications include PCI DSS, ISO 27001, SOC2, and TRUSTe, among others. These certifications play an increasingly important role, but they cannot replace due diligence. Before outsourcing any significant IT or data privacy function, it is imperative to get answers regarding the vendor’s technical, physical, and procedural safeguards. A clear warning sign is the unwillingness or inability to answer these questions. This is an important reason to include IT professionals in the procurement process.

It is also necessary to make sure the vendor is collecting only the data that its says it is, that it is doing only what it says it is doing with the data, and is only sending the data where it says it is sending the data. Even if the vendor is doing something it is not supposed to be doing with the data, the controller is not absolved of responsibility. The only way to ensure the vendor is doing what it says it is doing is to insist regular audits of the vendor’s practices throughout the life of the contract. In the event of a problem, most regulators will not look favorably on any excuses that the controller did not know what its vendor was doing unless the controller is exercising its due diligence.

The most common way to comply with cross-border data transfers currently or under the GDPR and other similar laws, is through the use of Model Contractual Clauses, which are form contractual clauses developed in conjunction with the GDPR. Including these Model Contractual Clauses in vendor contracts generally allows data controllers to transfer data to vendors in compliance with the GDPR. To be effective, the standardized language must be adopted verbatim, and must include appendices completed by the parties, which typically include 1) identification of the information to be transferred, 2) categories of data subjects, 3) purpose of the transfer, 4) the processing to be performed, and 5) description of security measure in place. Outside legal review of these contractual provisions will help ensure compliance. Regardless of whether the Model Contractual Clause is used, this is information that should be gathered prior to any data outsourcing.

Finally, it is important to understand the vendor and their business model. At some point, a vendor can only guarantee so much and can only accept so much control by the customer. The customer and vendor should work together through the procurement process to balance the risks at an acceptable and realistic level. Willing acceptance by the vendor of especially onerous contractual terms should raise suspicions. The lack of complaint might simply be because the vendor has no plan to comply with those requirements.

Outsourcing information technology and data privacy processes can provide significant cost savings and for many enterprises provide options that would otherwise be impossible. The decision to take advantage of these options should not be made lightly or without sufficient analysis. Even once the decision is made to outsource, the enterprise must remain vigilant regarding the data security of itself and its vendor.  The enterprise must understand data privacy in relation to its own business, and must also understand how its vendor manages data privacy. The regulatory and business risks are simply too great to ignore. 

Sean Cox, CIPP/US, is an attorney in the Atlanta office of Hall Booth Smith. His practices involves both domestic and global data privacy and security regulation. He is well-versed in data incident response, and provides the experience to guide his clients through the regulatory, legal, and business pitfalls of any data incident.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.