When it comes to IT contracting, the big themes are change and modernisation. As we witness the increasing investment into IT-business projects intended to bring about change in organisations such as cloud computing and Software as a Service (SAAS), customers are embracing standardization as the industry becomes more and more comfortable working with the cloud. Even in bespoke outsourcing arrangements, there may well be more similarity than difference, and smaller deals among multiple providers is becoming the established model for IT sourcing. Outsourcers per customer are multiplying, as is the number of service providers each company uses. This is driven by the increased use of cloud in general and SAAS in particular.
There is an increased emphasis on IT security/ cybersecurity and the management of personal data, and in the absence of absolute technical standards, agreements generally require the parties to have appropriate technical and organisational measures in place to safeguard against unauthorised or unlawful processing of personal data and also against accidental loss or destruction of, or damage to, personal data. In practice, this means that an organisation should have appropriate security to prevent the personal data held by it from being accidentally or deliberately compromised. This translates to the following contractual obligations for vendors:
- The design and organisation of security should fit the nature of the personal data held and the harm that may result from a security breach;
- There should be clarity on who in the organisation is responsible for ensuring information security (achieved through an information security policy);
- The right physical and technical security measures need to be in place, backed up by solid policies and procedures and reliable, well-trained staff; and finally
- The organisation and vendor need to be ready to respond to any breach of security swiftly and effectively.
In anticipation of the POPI Act, organisations will be required to have a model data processor contract or model clauses for contracts with suppliers who will be acting as data processors. These contracts should also provide for the transfer of personal data cross- border and as such, organisations will have to revisit their data protection policies, or put one in place.
In the dynamic era of technology, traditional IT procurement processes, (such as RFP processes) are becoming less popular due to their expensive and time-consuming nature - by the time proposals come in, the business requirements have often changed.
In addition, supplier risk needs to be integrated into a company’s daily operations, moving from quarterly meeting risk discussions to making key business decisions based on risk on a real-time basis. This is also illustrated by the move from the waterfall model of development to the Agile model. Most software development contracts were designed for use with the waterfall model, and can be difficult to reconcile with the principles that underlie Agile. Under the waterfall model, the project is divided into a sequence of distinct phases, starting with a detailed planning phase where the project requirements are analysed and documented. Once the requirements have been fully specified, the project continues through the design, coding, testing and integration phases, followed by the deployment of the final product. Advantages of this model are that it provides a clear and structured way to approach development projects, requirements and design are formalised at the outset and clear milestones are identify to track progress. However, problems with the model include the intangible nature of software, which makes it difficult to define the requirements in a clear and unambiguous way at the outset, and it does not adapt well to change, which is essential considering that the customer’s requirements are likely to change over time. To the contrary, the Agile model is iterative in nature, i.e. development is carried out in short, frequent cycles where working software is delivered at the end of each cycle.
Thus, organisations need to carefully consider the ever-changing nature of information technology when establishing contractual terms with their IT suppliers