Nebulous and potentially boundaryless, digital transformation (DT) can be challenging to articulate clearly. We would define it broadly as the investment in technologies, people and processes by an organisation, to optimise its digital business capabilities.
Even before the covid-19 pandemic hit, DT had emerged as the top priority in our organisation for technology initiatives in 2020, followed by the cloud as the key DT journey enabler; a much clearer focus on cybersecurity, data protection, compliance and governance; increasing investment in data analytics and machine learning; and ‘always on’ software development through DevOps and IT service management as a service.
The covid-19 pandemic has accelerated these trends in a way that was unforeseeable at the start of 2020. How UK internet retail sales have grown illustrates this well. Taking internet sales as a proportion of total UK retail sales, it took four years for online sales to double from five per cent to 10 per cent (2008 to 2012), and another four to get to 15 per cent (Q4 2016). But it then took only two years to reach 20 per cent (Q4 2018) and it has taken just 18 months to get from 20 per cent to 30 per cent (Q2 2020).
At the macro level, the combination of strong internet growth in 2018 and 2019, physical retail lockdown and a hefty shove online in 2020 is behind these figures. The acceleration of these trends in the high street stands as proxy to other sectors, whether the pandemic is a challenge (travel, leisure, hospitality) or an opportunity (healthcare, financial services), as well as to other walks of life, like legal services, where DT is starting to make a real difference.
DT is not only occurring in vertical sectors however. The cloud is a powerful DT enabler, whatever the sector. And horizontal areas that until very recently were the province of large numbers of boots on the ground are now being ‘cloudified’ and automated. Nowhere is this more pronounced than in cybersecurity, where automating and cloudifying incident detection and response, privileged access management and data loss prevention is starting to remove some of the compliance and governance headaches, or at least enabling them to be managed in a more structured, proactive way.
What are the key legal features of this rapidly transforming digital landscape? We can break them down into two – key DT lawyering ‘do’s’ and ‘don’ts’, and key DT deal ‘dos’ and ‘don’ts’.
On the DT lawyering front, and as DT projects take up more of an organisation’s resources, it’s all about clarity, scope definition, relationships and objectives. From our seat deep inside the fourth industrial revolution, the range and speed of adoption of new IT techniques rippling out across business can appear daunting – 5G, Web 3.0, Smart APIs, AI/ML, IOT, DevOps, blockchain, cloud and mixed reality, for example. But getting clarity around what the tech does is an essential first step towards being able to scope it out and apply legal principles to it: clarity of legal analysis based on genuine understanding of the tech is a prerequisite for the team effort.
Along with understanding the tech goes the legal team’s stakeholder role in helping shape the organisation’s strategy, policies and processes around DT, particularly in the areas of designing in compliance (privacy and data protection, cybersecurity, sector specific regulation), end-to-end data governance and DevOps’ ‘always on’, shortened software life cycle. Writing up the foundational documents – from the vision, through the policy to the detailed processes – clearly and concisely and communicating them effectively enhances buy-in across the organisation.
The legal team’s role in DT compliance and DT deals gives it an enabling role in managing DT projects – whether strategic or tactical deals or strategic compliance – and in setting agendas and objectives.
On the DT deals front, cloud due diligence, procurement and contracting are now in the mainstream, but as we move to ‘everything as a service’ (XaaS), understanding the basics of the different cloud service models (SaaS, PaaS and IaaS) and delivery models (public – a room at the provider’s hotel; private – my own room; and hybrid - combination) remains the first step.
As the business models and contracting approaches of the major SaaS players mature, it is becoming increasingly common on a single larger DT project to deal with the core SaaS provider, the professional services implementation partner and one or more providers of contiguous services. How the customer defines scope and shapes the contract structure is critical. It may be impractical to get all parties involved to sign up to one contract, but in a series of bilateral contracts, aligning the dependencies between different providers puts a premium on effective contract management. Establishing from the outset a common approach to project methodology, reporting standards, testing and structuring relief events can make all the difference here. In passing, AI as a Service (AIaaS) deals are becoming increasingly popular, and aligning the customer’s and the provider’s ethics and data policies can be a challenge.
A coherent and consistent approach to data in DT deals is critical. We are not just talking about data protection and cybersecurity compliance – key though they are – but also a more standardised approach to data governance that looks at data both as corporate asset and as a source of potential risk or liability.
As software development moves centre stage, with many organisations using their own apps and APIs in enhancing the customer experience, we are moving away from the structured, sequential waterfall model, past Agile and towards DevOps, combining shorter development cycles (Dev) with continuous operational (Ops) delivery. In this world, effective internal policies around software asset management (ensuring proprietary third-party software is used within licence scope), open-source software (managing residual risk around copyleft inheritance) and source code management are critical.
Lawyering DT is becoming a core part of the organisation’s skillset in successfully responding to the great shove online, and lawyers’ unique combination of skills – getting to grips with the technology, applying evolving legal principles to how it is contracted for and used, formulating strategy and policy, communication and relationship building – will continue to play an important role in ensuring that success.
