An organization that wants to manage its privacy risk and implement a best practices approach to outsourcing should consider the following critical questions:
1.Who are the outsourcing organizations we contract with and where are they located?
2.Precisely what data are we sending to, and receiving from, outsourcing organizations?
3.Is the data "personal information," and have we given notice to our customers of this data transfer?
4.What are our exposures if the data (both sent and received) is improperly accessed, used or maintained?
5.What data protection clauses do we have in these contracts?
6.What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses?
7.What processes are in place to monitor the outsourcing organizations?
8.Do these organizations outsource any of their processes in which our data may be further transferred to another organization?
9.What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners?
10.What are the applicable privacy laws and regulations?