Industry news

As companies struggle through the current austere times, many are investing in processes that will be cost-effective and beneficial in the long-term. Modern outsourcing relationships now offer and deliver much more than just cost savings. Businesses are often transformed through innovation to achieve far greater efficiency and productivity.

Innovation is perhaps the most mis-interpreted term in outsourcing. It seems everyone wants a slice of the pie, but many are unsure of what the pie actually consists of..

It is extremely hard to narrow down one definition of innovation in outsourcing. One man’s innovation is another man’s day-to-day activity.

Innovation can be both incremental and radical and does not simply have to be continuous improvement. Innovation can be new ideas or ways of working to drive commercial gain or competitive advantage. It is does not have to applicable to all service provider relationships. For example no innovation expectations may exist for smaller or commodity relationships.

There has been much talk about the development of an innovation framework. To date, thinking has been that this framework is comprised of two distinct areas:

1) The hygiene factors for innovation: essentially the processes, the way in which a problem is approached, which can be included in contracts.

2) The governance structures, which are used to manage and progress innovation. The innovation management process itself provides the operational governance framework and a structured approach to fast track projects through idea generation and selection, development, confirmation of sponsorship and business case validation and on into hand-over to project delivery and tracking of benefits realisation.

On the other hand, many believe that innovation shouldn’t be put into a framework and ‘managed’ as it should naturally evolve from a partnership. Regardless of your position, a modern outsourcing relationship should help a business to innovate - whether metrics are set from the start or organically produced as a product of the relationship. However a framework can assist outsourcing partners to determine their objectives and formalise the innovation achieved. Developing metrics will also help to share the results and prove the worth of outsourcing-led innovation.

There is bound to be a certain amount of controversy over the harmonisation of Internet data directives between countries. However, cooperation between the EU and the US is becoming not just more important, but increasingly less controversial as time goes on. The agreement for terrorist suspects to be handed over to the US is to be applauded. However, the controversy in Europe carries on as Internet retailers continue to claim that enacting the new legislation will burden their customers with too many requests for permission and that they will lose valuable data if people refuse to be tracked. However an examination of the legislation reveals that the US could learn much from the application of Internet law in Europe.

It is under the circumstances that Varonis Systems welcomes the news that a common set of privacy standards are to be applied to organisations across the entire European Union for the first time - as well as the gameplan that includes immediate notification of breaches and other ‘data misplacements’. This is the first significant update of data protection legislation since 1995, therefore it is well overdue. The measures are being finalized within the European commission, so some of the fine detail is still to be revealed and they will have to be approved by the national governments. Some, particularly Germany, will be reluctant to lose out on privacy matters to Brussels, so it will likely take two to four years before the measures come into effect.

Despite the economic problems which made international headlines in the last few months, Europe remains a vital market for North American companies. It is a staging post for the Middle Eastern and African markets and London is still one of the most important financial capitals in the world. The United Kingdom coalition government has led the way in fiscal probity for Europe. However, Europe does have a habit of making things difficult for itself and the new laws have been viewed by some as falling into this category.

The proposals are designed to significantly increase the EU's powers to punish those who allow major data breaches to occur or who sell customer data to third parties without authorization. They also aim to further protect information held by social networks and cloud computing services. Organisations will have 24 hours to notify the data protection authorities and the affected parties in cases where private data has been compromised. By making sure that the rules apply also to foreign groups’ European subsidiaries, the new rules will force global companies to strengthen their data protection policies. All companies with more than 250 employees will have to have dedicated staff to deal with data protection issues. The rules will give the EU similar powers and policing privacy to those it wields in competition matters – where it can impose fines of up to 10% of turnover for violations.

In a teleconference last week between members of the European Commission in Brussels and the US Department of Commerce in Washington, EC vice president Vivian Reding suggested that the US copy the EU's approach - one which could imply a heavier hand. Reding said that the aim of meetings between the commercial regulators for the two governments was nothing short of “regulatory convergence” — suggesting that they should come to an agreement on the language of the respective laws governing how ISPs and content providers handle personal data protection. She said that it's up to Washington to catch up with the “gold standard” that Europe has already set. So while Europe and Washington battle it out about the respective effects of the US Patriot Act 2001 and adequate levels of protection for European data and American data centers, US organizations doing business in Europe will have to establish mechanisms to comply with this new law.

So, should we be horrified by European bureaucracy or beat the drum for watertight data protection? In our opinion the new rules are an excellent balance between the very real data privacy needs of citizens against the practical issues of managing data within the modern corporate environment.

Many IT security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to their growing data stores. While these concerns are understandable, the reality is that with the correct technology in place these issues can easily be solved.

The US EU Safe Harbor program has been created as a way for US companies to comply with the EU data protection directive. This program allows companies which are certified with the Safe Harbour principles to process EU personal data even though the US has not met the EU's privacy protection adequacy standards. The Safe Harbour principles reflect the seven fundamental principles laid out in the EU data protection directive. They are 1) notice 2) opt out choice 3) restriction on onward transfer 4) security of data protection 5) preservation of data integrity 6) individual’s right to access and 7) effective enforcement.

Many organizations have been struggling with non-existent or limited permissions management, classification, and auditing capabilities included with their data stores, but new metadata framework technologies can provide intelligence, automation, and control across multiple platforms to allow C-level executives to sleep easy.

Surely we do not need the threat of legislation to ensure that we remain compliant? Sensitive information should only be accessible to those that absolutely require access. But just how many companies actually have the security procedures in place to enable this to happen? Not many is the truth. What happens in practice is that many IT departments face significant challenges keeping authorization up to date – making sure the right users are in the right groups and the right groups map to the right data resources, like folders, sites, and mailboxes. This is essential as users move through an organisation, changing roles, requiring access to more and more data. Unless the processes to grant, review, analyse, and revoke access are automated, content is automatically inspected to look for sensitive data, and access is monitored and analysed, the organization will be unable to maintain correct authorization, and unable to monitor access activity to look for likely threats.

The problem of the rise in unstructured data, i.e. the data which is increasing dramatically in everyone's corporate network, is one which has to be faced head-on. As far as unstructured data is concerned, the introduction of a single set of privacy standards for all EU territories is long overdue. The fact that this will be a complex migration for some multinationals — and those firms who are pushing into new countries for the first time — is one which we should see as a welcome opportunity and not a dreaded challenge.

The key issue in the new rules is the requirement that any company maintaining personal information – be that customer records, internal human resources directories or any other list – will have to comply with the new rules, and be able to show how and why they are using personal data. This is something which is a service to the customer anyway, and should already be in place in any well-organized company. Another controversial aspect of this legislation is the “right to be forgotten” which means that companies cannot just keep information they have finished with, and have no legitimate right to use any more, in their infrastructure on pain of being heavily fined.

This highlights the difference between US data laws and European data laws. While data protection requirements in the US, according to a September 2011 Forrester Research, Inc. report, (“Q & A: EU privacy regulations” written by Chenxi Wang, Ph.D) "...are commonly industry-centric those in the EU focus more on the individual's right to privacy. This leads to a number of differences in how data should be handled in the EU versus the US, especially in transferring data between countries with varying regulatory standards."

There have been some fears expressed that the planned five per cent turnover penalties are too high. While a two per cent maximum will please many industry onlookers, it will still act as a very positive deterrent for any company thinking they can simply hope for the best with their existing data protection systems.

The new regulations’ mandate for the appointment of a data protection officer will help focus the attention of many more companies on what has become a major issue in this digital age - and help ensure that the vast majority of firms do a lot more than simply pay lip service to the new regulations.

The application of the rules to non-EU entities – especially those in the US – that want to offer their goods and services in the EU is to be welcomed, as it helps to balance parallel requirements under the US Sarbanes-Oxley governance rules. US companies cannot expect to get special treatment on mainland Europe.

There are precedents which we can look to and which allow us to say, with some certainty, that a lot of the objections are ill informed. We would suggest that, as we saw with the PCI DSS governance rules, this controversy will die down after a short period of argument and what has been declared as "impossible" will merely become part of the data protection and management daily grind. When senior management of major companies realise what is at stake and that this legislation protects their customers’ information they will feel a lot happier.

According to a report in the Economic Times of India, the Indian government has demanded that the European Union designate her as a data secure country. The request came in the context of current bilateral free trade agreement negotiations. An Indian government official is reported saying "Recognition as a data secure country is vital for India to ensure meaningful access in cross border supply." The official goes on the state that "we have made adequate changes in our domestic data protection laws to ensure high security of data that flows in."

Seasoned India-watchers may disagree. Traditionally India has had no dedicated privacy or data protection laws, with various statutory aspects scattered under a number of enactments, such as India's cyber law, The Information Technology Act 2000. In 2011, India finally enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 to implement parts of the Information Technology (Amendment) Act 2008. The 2011 Rules cover a subset of personal data (referred to as sensitive personal data, but unhelpfully the meaning of this term differs from that used in the Data Projection Directive) and lay down security practices and procedures that must be followed by organisations dealing with such sensitive personal data.

The 2011 Rules were broad in scope and ambiguously drafted. The impact on the outsourcing sector was unclear and subsequent clarifications had to be rushed through by the Indian government. These clarifications helped somewhat but were still found wanting, with one commentator describing them as "half baked."

The EU's Data Protection Directive permits personal data to be transferred to third countries (i.e. countries outside of the EEA) if that country provides an adequate level of protection. The current list covers only a handful of countries including Canada, Switzerland and Jersey, and more recently New Zealand. The US is not deemed adequate but personal data sent under the Safe Harbor scheme is considered to be adequately protected. India is not deemed to offer adequate protection. Accordingly it has become standard practice to use the approved EC model clauses wherever EU-based outsourcing involves data transfer and offshore processing in India. These clauses, which provide an alternative lawful means of data transfer, place strict obligations on both parties to ensure privacy of data and are considered by some to be onerous and to act as a disincentive for business.

Thirty percent of India's $100-billion IT and business process outsourcing industry comes from customers based in the European market. Industry representatives are concerned that India defends and grows her share of the European outsourcing market, although for the time being it is worth pointing out that none of her main competitors, such as China, the Philippines, Singapore and South Africa, have achieved data secure nation status. As reported in the Economic Times of India, according to Ameet Nivsarkar, vice-president of Nasscom, the trade association which represents the Indian software industry, "if European companies start insisting on a data secure status as a critical factor for giving business, it will become a very important criterion for perception of a country. Nonetheless, most of our companies adhere to very high level of data security."

India has a strong track record of performing-low end data processing but desires to move up the value chain into more sophisticated outsourced work in sectors such as healthcare, clinical research and engineering design. Achieving data secure nation status will support this; the process however is a relatively arduous, and potentially political, one involving:

 a proposal from the Commission

 an opinion of the Article 29 Working Party

 an opinion of the Article 31 Management Committee delivered by a qualified majority of Member States

 a thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executing powers correctly

 the adoption of the decision by the College of Commissioners

It will be interesting to see how the EU reacts to India's demands, especially given the current proposals to reform EU data protection legislation in order to strengthen individual rights and tackle the challenges of globalisation and new technologies. Uruguay, Australia and Japan are all ahead of India being at different stages of advancement in the process. One thing seems clear - India will need to ensure her data protection laws and enforcement regime will stand up to EU scrutiny if she is serious about wanting to join the small but growing club of nations with EU data secure status.

So an election pledge becomes policy! From 1st April, unless there is a "strong business case" or a "matter of National Security", all Central Government IT contracts will be capped at £100m.

Not quite Big Society but certainly less big IT.

Whitehall, claim that the £100m limit can be complied with by:

• encouraging the reuse of existing assets;

• making changes to procurement such as the application of lean methodology to buying;

• greater competition among suppliers including through the increased use of SMEs; and

• creating contracts differently, for example, by reducing their length or separating out commodity hardware from a new project and purchasing it through an existing contract, or separating out telecoms needs and buying them through the PSN frameworks.

Nice words but will any of these really enable central government to deliver.

Will the £100m cap create a level playing field on which SMEs can compete?

Let’s get the ‘reuse of existing assets’ myth out the way first. Technology moves apace so quickly, that hardware and software once bought as a limited shelf life. Standard accounting practice depreciates its value from 100-0% over three years.

Consider also the level to which previous government procurement exercises have created bespoke solutions tailored for specific purposes. Simple reuse, other than for standard bought desktops, seems highly unlikely - when buying new generally costs less than reconfiguring old.

Making changes to procurement including lean methodology to buying. Ask any procure operating or supplier bidding under the OJEU regulations and they’ll say it does little more than add voluminous red tape, expense, delay and, ultimately, no better result.

The UK, it seems, stands alone in the EU in observing these regulations to the letter – think of instances such as that of Bombardier trains, British jobs being lost.

Whilst the intent of open and transparent procurement processes is entirely right – the application of scalpel (or preferably fire-axe) to the current EU regulations would minimize cost for buyer and supplier alike and would encourage more suppliers to pitch for such contracts. Ironically, doing away with these regulations could create more competition.

If the UK is to challenge any rule of the EU, it should challenge this first. Let’s see if this is Whitehall’s intention?

Greater competition among suppliers including through the increased use of SMEs. A cornerstone of Coalition policy is to help British business through enabling them to compete for both Central Government (as per this policy) and local government (the Localism Act) contracts. SMEs, small to medium enterprises, are normally considered to be companies with fewer than 250 employees and turnover not exceeding €50m, per annum.

If one of the aims of this policy is to provide SMEs with the opportunity to compete – then the limit of £100m per contract invalidates the policies efficacy as no SME could realistically compete at this level.

Even with a leaned out process of procurement, the cost for suppliers to go through such an exercise is prohibitive. Larger corporate organizations are able to absorb this by spreading the cost of failed procurement exercises across those they are able to secure. It will simply not be possible for SMEs to absorb this.

And, finally, creating contracts differently through making them shorter or separating out services. More contracts, means more procurement exercises, more bidders and more service providers. Even with ‘leaned out’ processes, the cost of procurement will rise through the increase in sheer volume of ‘moving parts’ in the system.

So, where are we?

Reuse, unlikely.

Lean processes, desirable but will the UK take Europe on?

More competition, and the encouragement of SMEs, the £100m limit makes this policy totally ineffectual.

Breaking contracts in to smaller, shorter or more discrete parts just adds volume and therefore increases the cost of procurement, Again, as the target is £100m per contract – this won’t help SMEs.

So, from a procurement perspective, this policy has some very real practical challenges.

There is also a massive oversight here. A failure to see the bigger picture. Even if these measures did reduce cost and increase SME engagement, in terms of the cost of procurement – the Government have considered the life and management of those contracts, post procurement.

One of the benefits of buying (properly) from big suppliers is that you can pass the management of the delivery of a number of services to the supplier. They can do this due to scale and infrastructure. Engage a larger number of smaller suppliers and who is going to take responsibility for and absorb the cost of ensuring that each of the procured services fit together?

All in all, whilst lean procurement and the challenge to Europe of the procurement rules is desirable, this doesn’t look like a piece of policy that has been that thoroughly thought out.

Stephen Allen FRSA, advises public and private sector organizations on creating efficient legal functions. He writes a daily blog www.lexfuturus.com which challenges the legal services market to innovate.

£62.9 million has been raised by Notion Capital to invest in high growth European cloud and SaaS SMEs, £40m of this is to be injected directly into UK SMEs.

High growth companies are due to receive £2m each from the government backed fund, called 'Notion Capital Fund Two'. The scheme makes up part of the Department for Business, Innovation and Skills' Enterprise Capital Funds programme, combining public, private and government funds and expertise to address weaknesses in the market.

It is hoped that with further fundraising the investment firm fund could reach nearly £100 million.

Jos White, co-founder of Notion Capital said:"We believe that there is now an under-supply of good quality funds serving an ever-increasing and ever-widening market opportunity within Europe. This imbalance will lead to a larger market share for the investors and also stronger and more experienced partners for the entrepreneurs. The results could mean a step change in the performance of European VCs that will in turn lead to further growth and investment in the market."

According to MPs the level of carbon emissions from goods imported and consumed within the UK is rising, whilst domestic levels of emissions are declining.

MPs warn that outsourcing emissions will damage the UK’s reputation and carbon emissions record. Between 1990 and2008 domestic emissions fell by 19% as a result of switching from coal to gas for electricity; however the carbon emissions footprint based on UK consumption rose by 20% in the same period.

Energy and Climate Change Committee chairman Tim Yeo said: "Successive governments have claimed to be cutting climate change emissions, but in fact a lot of pollution has simply been outsourced. We get through more consumer goods than ever before in the UK and this is pushing up emissions in manufacturing countries like China."

MPs are now calling for a new deal on climate change.

In its largest ever acquisition, Toshiba is to buy IBM’s point-of-sale terminal business for an estimated $850m.

The deal between IBM and Toshiba Tec. is anticipated to close late in the second quarter, or early in the third. The point-of-sale systems used by retailers, which include both hardware and software, to process and record transactions, manage inventory and collect and analyse data, will be bought solely by Toshiba Tech.

According to Hideki Yasuda, analyst at Ace Securities Co. in Tokyo the deal “will have a major impact for Toshiba Tec, [it]will be able to expand its POS business with the acquisition, as IBM already has customers and can lure new ones with its brand.”

The environmentally friendly cosmetic firm Lush is switching its data management to cloud service, CloudApps Sustainability Suite.

The new system will track Lush’s complete environmental footprint, including measurements on water and energy use, travel, waste generation and packaging across all 102 stores, eight main offices and eight factory sites in the UK.

Ruth Andrade, Lush environmental officer said: "the system allows us to move towards the sustainability goals we have signed up to that will both benefit the environment and reduce our operational costs."

Report shows TCV has dropped by 32%, with contracts at an average of €6.9 billion.

Information Services Group (ISG) today released data showing the outsourcing market in Europe, the Middle East & Africa (EMEA) slowed significantly in the first quarter of the year following a record performance in the fourth quarter of 2011.

The TVC drop of 32% is year-on-year with the sequential drop standing at 53%. In the first quarter of 2012 a total of 79 contracts were awarded, a decline of 37% year-on-year and 23% sequentially.

Duncan Aitchison, Partner & President, ISG North Europe said “this first-quarter slowdown in EMEA follows the strongest half-year and full-year results we have seen in a decade, which made for very difficult comparisons. However, we expect outsourcing activity and TCV to pick up in the second half of 2012 and project full-year results to be in line with historical norms.”

For more information on ISG click here

The business process and technology management company Genpact has today signed an acquisition deal with Accounting Plaza, a provider of finance and accounting, human resources services and to the retail, wholesale, banking and healthcare industries.

The acquisition will enhance Genpact’s capabilities and expand their delivery to Europe, the Netherlands in particular due to their newly acquired language skills via Accounting Plaza.

Tiger Tyagarajan, president and CEO, Genpact said: “this deal gives Genpact domain expertise in the retail industry, an industry which is transforming globally. Along with finance and accounting, one of our core capabilities, we now gain tremendous traction in the retail industry. The addition of operating centres in The Netherlands will further expand and grow our business in Europe, especially with large European multinational corporations.”