Against a backdrop of growing concern about the protection of consumer data as it is transferred to call centres in offshore locations, this article examines data protection (DP) compliance in the multi‐client outsourced call centre. Using an in‐depth single case study of a South African outsourcer and drawing on the now extensive body of call centre research, it argues that routine DP compliance is predominantly driven by the employment relationship and the client contract. With no research of this nature ever having been undertaken previously, it is argued that compliance is affected by the manner in which employees are paid, contracted and performance managed. This study also confirms that the employment relationship is an information security measure for organisations.