Mateus Hernandes Rodrigues – Head of International Operations at DB1 Global Software.

IBM’s “2020 Cost of a Data Breach Report” revealed that the U.S. has the highest cost (globally) associated with data breach incidents: $8.64 million. In a globalized scenario, with innovations and new technological systems emerging daily, all companies need to have information security as one of their main concerns.

Cyberattacks have been rising, especially in the last two years. In 2020, for example, the U.S. investigated a significant attack that was initiated by infiltrating a technology company that provides network administration services, affecting thousands of its customers. The risk of a data leak that could generate a catastrophic situation and jeopardize the trust of those who matter most—the customers—made the corporate world take more notice of the subject, not only because of the need to comply with rules and laws but also to be able to mitigate the risk and protect clients.

Data protection becomes even more important among technology companies working in various countries and focusing on improving aspects of optimized development with the help of providers or partners. Outsourcing is a much more intricate investment than just using an outsourced company. It also implies more significant attention to the contracted companies. There are concerns with service delivery, support, consulting, planning, project execution and the appropriate handling of sensitive data.

Within outsourcing, we have different ways to do it: onshore, nearshore and offshore. The outsourcing location is chosen according to the contractor’s current needs. For example, suppose the intention is to have a closer partnership without cultural differences and to prioritize geographic proximity. In that case, onshore is more suitable, as it’s applied to business between companies within the same country, allowing better communication and faster risk management if necessary. But if lower fees and an uninterrupted workflow are the priority, offshore is best suited for hiring companies from other parts of the world. The middle ground can also work: Nearshore is when you employ companies from countries in the same time zone (or with very little difference between them), which helps create a cultural fit and offers lower costs ​​for software development.

The critical point is that the farther away, the greater the need to better interpret the data protection laws that govern the destination locations. Therefore, dealing with cybersecurity can be complex due to the various rules in each country. Now, add this to the vision of a company that plans to develop in other locations. Imagine wanting to operate or maintain contracts outside the country and bumping into other legislation that determines your commercial movement with nations and people who think differently. Here, one must be concerned with the sum of legislative, cultural and jurisdictional complexity and variability.

But, giving up on expanding into international lines of work due to the complexity of outsourcing and data protection isn’t the way to go, whether nearshore or offshore. In this scenario, a good strategy usually compensates for the risks assumed, and adopting good practices can help prevent these uncertainties from becoming roadblocks.

It’s worth remembering that all parties involved contractually have their due responsibilities regarding protecting customer data. One of the main points to be considered in forming a contract is respecting and applying the laws that compete with the agreement. The contract should be detailed and followed to the letter, considering that the fines, image damage and impact on customers resulting from any breach in information security are substantial.

So, where do you start if your company intends to outsource either nearshore or offshore and wants to maintain credibility based on its attention to data protection? Make sure to begin with the following.

• Gain cultural and territorial knowledge in the regions you’re considering for outsourcing.

• Invest in security tools, adaptations and certifications.

• Create security committees.

• Take out cyber insurance.

• Ensure your company can meet the legal and compliance regulations of the outsourcing region.

Remember that nearshore and offshore outsourcing are still relatively new options with considerable differences in legislation between territories. The laws of the U.S., the GDPR and the Brazilian LGPD, despite overlapping, will always have divergences. These divergences must be addressed individually and according to previously adopted good practices that are satisfactory for both parties. This makes the process more time-consuming and complex, but it’s a necessary step, at least for the time being.

Soon, there will be enough good practices to mediate nearshoring and offshoring obstacles while respecting each territory’s laws. But new interpretations and jurisdictions will continue to surface over time. Whoever simplifies this process as soon as possible comes out ahead.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?