Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Digital Transformation volume discussing various topics, including a look at the main laws and regulations, the impact of cybersecurity legislation, cloud contract considerations, the impact of data protection laws and more, within key jurisdictions worldwide.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
As a set of resources to optimise an organisation’s digital capabilities, digital transformation (DT) is more a set of IT- and people-based techniques and processes than any one thing. It is also helpful to segment FT into ‘DT – the journey’ and ‘DT - the destination’.
DT presents a complex picture. Recent surveys have identified cloud, cybersecurity, automation, analytics and governance and compliance as top priorities on the DT journey, with a range of fourth industrial revolution developments (AI/ML, IoT, DevOps, blockchain, mixed reality) also starting to rise up the agenda. Improving customer experience is the top thing at the destination, with Web 3.0 (decentralised, peer-to-peer, blockchain and semantic web-enabled internet services) gaining traction.
DT therefore covers a multitude of rapidly developing technologies and legal areas. The main laws and regulations governing the DT journey at the moment emanate from data regulation, particularly around the cloud: the General Data Protection Regulation (GDPR), for processing personal data; and GDPR, telecoms security regulation, sector-specific regulation and tort (negligence) law for cybersecurity. As yet, however, there is no specific legislation regulating AI in the UK, although, as elsewhere, we have a confusing abundance of ethics and data science frameworks and policies.
The business world is migrating to the internet at an accelerating pace: in ‘the great shove online’, internet as a proportion of total UK retail sales doubled from 15 per cent in the fourth quarter of 2016 to 30 per cent in the second quarter of 2020. You can look at retail as a proxy for other sectors, whether challenged (transport, hospitality, leisure) or fuelled (healthcare, financial services) by covid-19.
As digital commerce and the power of BigTech grow, we are likely to see a sharper focus on regulating ‘DT - the destination’. The proliferation of tech-enabled payment services has been opened up by the payment services regulatory regime ushered in by PSD2 in January 2018. The EU P2B (platform-to-business) Regulation which came into force in July 2019 adds for business users of online platforms protections that have long been in place for consumers.
As ever in the tech world, it is a case in the UK of rapid evolution not revolution as law and regulation struggle to keep up with ever-accelerating technological change.
2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
Even before the covid-19 pandemic hit in the first quarter of 2020, digital transformation had emerged as the top priority in the organisation for technology initiatives this year, followed by cloud as key DT journey enabler; a much clearer focus on cybersecurity; data protection; compliance and governance; increasing investment in data analytics and machine learning; and ‘always on’ software development through DevOps and IT service management as a service.
In cloud DT projects, perhaps the most noteworthy recent developments are cloud service providers’ hardening attitude to risk and liability in their contracts, reflecting a shift in balance at the negotiating table as the cloud and key players’ business models mature. Behind that in the UK, it is still data protection, cybersecurity and sector specific rules on outsourcing that are the most critical.
As organisations’ cloud strategies mature, we can expect to see the emphasis shift to automation, big data analytics and artificial intelligence. Although there are no specific laws yet regulating these areas, there are myriad frameworks and policies, many produced by and for government, which aim to collate the wide range of legal questions arising in relation to compliant use of these technologies.
For the UK, how the government responds to Brexit and whether the underlying IT-related laws and regulations here will continue to follow or diverge from Brussels will be key. An early indication of the path ahead is likely to be seen in the UK’s response when the E-Privacy Regulation (which will replace the E-Privacy Directive) is passed.
In the UK, organisations are increasingly starting to follow ISO and other technical standards in fields relating to DT. In addition to the widely used ISO 27001 information security family of standards and ISO 38505 on data governance, of particular interest in the DT arena are new and under development standards in the areas of AI (ISO Joint Technical Committee (JTC) 1, Subcommittee (SC) 42); cloud (JTC1 SC 38), data centres (JTC1 SC 39); IT service management and governance (JTC1 SC 40); and IoT (JTC1 SC 41). Certification to one or more of these standards is becoming more popular in the UK as a way of demonstrating technical compliance in an increasingly competitive environment.
3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
The DT journey presents a number of unique issues and hurdles for organisations, chief among them the fact that most DT projects involve the transfer of some level of control from the organisations to the various suppliers in the DT stack. Whereas in the old world, organisations bought their own servers, set up their own server rooms or farms and managed the hardware, networking, software and data elements themselves, a digitally transformed deployment model operates on the basis of degrees of delegated responsibility – the organisation typically transfers management of some or all of these layers to the XaaS provider to some degree (eg, by engaging a third party to host its servers and kit, by using formally on-premise software as a service from the cloud, or by outsourcing its network security monitoring). It is therefore key to ensure that the organisation has a crystal clear understanding of: the technology, its use, and how it impacts the organisation; the individual responsibilities of suppliers, staff, sub-contractors; the various relationships among all elements of the services; and responsibility (and liability) should failures arise.
Another key consideration when departing from legacy systems is the extent to which the new cloud services align to existing deployment models. Cloud providers typically sell based on out-of-the-box ‘configurable’ functionality; solutions typically do not offer significant amounts of customisation or bespoke development. This ‘plug in and play’ feature of cloud-based service offerings may mean quicker and easier set-up of the new service but the downside is that bespoke developments – which may have been created by the organisation’s IT teams over the years – will not migrate across, leaving the customer with a potential functionality deficit and resulting in additional time and expense to bridge that gap.
The third key factor concerns data: what type and value; where it is stored; how it is processed or used, etc. Initially driven by GDPR concerns, establishing rights and obligations in relation to any type of data has now become a key component of any successful DT project. Organisations should understand all data flows, where data is stored at rest and what its suppliers do in relation to data. It is likely that what contract says is permissible will be factually different to what is technically possible so care must be taken to ensure that day-to-day use of the system and technology is in compliance with the contractual terms but also the organisations data collection, processing and retention policies.
4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
Despite the variety of DT services and projects, there are a number of contractual points that arise on most, if not all, DT contract negotiations.
As a first step, it is vital to understand the contractual landscape. This is becoming increasingly complex – legacy contracts are unlikely to be fit for purpose and new contracts are a maze of hyperlinks and embedded documents. The first step is therefore to chase down all contractual documents, hyperlinked and cross-referenced terms, and check technical descriptions and or specifications for exclusions or restrictions (eg, exclusions from availability calculations, error definitions, etc).
Next up, customers need to ensure that the contractual services description is sufficiently detailed to result in meaningful and enforceable warranties – the high-level sales pitch functional descriptions that are offered by suppliers to all customer are typically not detailed enough to capture the customer’s requirements contractually. The functional specification part of any procurement process is key to closing the gap and we find that most suppliers will warrant that the services will deliver the functionality requirements set out in the procurement questionnaires, RFPs, etc.
Be aware of the mantra that the ‘SLA is the product’ and ‘the product is the SLA’ – most suppliers will offer limited service levels (usually linked solely to uptime and availability) and limited service credits (typically capped at 15 per cent to 20 per cent of the fees and the customer’s only remedy for SLA failures). Credits set at this level are unlikely to compensate an organisation if it cannot run its business due to an IT failure so it is important to consider other remedies (including non-contractual remedies like back-up failover systems, etc) to reduce the likely impact of a significant SLA failure.
5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
Despite the fast-moving nature of new technologies, the same handful of points arise on every contractual negotiation. As many legacy systems reach end-of-life, market practice appears to be swinging to favour suppliers. As a result, many negotiations start from suppliers’ templates and customers on low value details are unlikely to achieve a significant rebalance in terms. That fact, however, should not prevent customers from raising points with suppliers, including the following commonly negotiated issues.
The first point of contention is more commercial than legal but can nonetheless impact the contractual discussions significantly: at what point does the customer pay for its licenses to use its new systems services? Generally speaking, most DT projects involve a non-insignificant transition and transformation period. During this time the supplier may need access to systems, etc, to perform any configuration, to allow data transfer, testing, etc. The customer, however, does not use the system until live operation and does not want to pay subscription fees before this date. Some suppliers recognise this concern and only bill professional services fees incurred by it over the implementation period, whereas others seek to charge all fees upfront from the date of signature. Suppliers’ positions on this point are usually entrenched and non-negotiable if the issue is not raised as a requirement of the customer during the procurement process.
The second point of contention revolves around remedies for breach. Post go-live, suppliers typically limit liability to minimal service credits for SLA failures or fix replace obligations for breach of functionality warranties. Liability for loss of profit, loss of revenue and loss of business are typically also excluded. The cumulative impact of these three points means that customers are unlikely to have meaningful remedies for a supplier breach. This can have a catastrophic effect – a failure may prevent the customer from trading or running its business and no amount of service credits or fix commitments will compensate the customer from that loss. A termination right, for example, for material breach, is likely to offer little practical resolution as the customer will need to find a replacement supplier, etc, and this can take months. A compromise may be reached by granting the customer the right to sue for damages if the service credits max out of a period of months or if the supplier fails to meet the SLA on a consistent basis. Loss of profits, etc, if direct, should also be recoverable by the customer and the customer’s right to terminate for material breach should apply without prejudice to its other rights or remedies.
Liability and indemnity are perennially on lawyers’ lists as issues that arise on every contract; DT and cloud contracts are no different. Market practice becoming more supplier-friendly as newer technologies become ubiquitous and is leaning towards capped liability for the suppliers, expressed usually as separate caps or supercaps for breaches of confidentiality; data protection and information security; and a general, aggregate cap for all other breaches. The caps are normally calculated as a multiple of the contract value, however, in certain sectors and among certain suppliers we are beginning to see caps for breach of confidentiality, data protection and information security capped at a specific GBP or US$ amount.
6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
In recent DT market surveys, cybersecurity has emerged as the key risk to be managed, ahead even of the cloud. Organisations undergoing DT should be aware from the outset of the key sources of regulation.
First, under GDPR and the UK Data Protection Act 2018 (DPA), the key standard is to take ‘appropriate technical and organisational measures’ (ATOMs) to ensure that processing is carried out compliantly.
Second, an intricate group of regulations on cybersecurity risk emanate from the UK’s telecoms regulatory framework. These are the UK regulations (SI 2018/506) that implemented the Network and Information Systems Directive; the UK Communications Act 2003 where the cloud provider is a public electronic communications (PEC) network; and the Privacy and E-Communications Regulations in the case of PEC service providers.
Third, sector specific regulation may apply to cloud or other services used by the regulated entity, as in the case of financial services and the European Banking Authority’s September 2019 outsourcing guidelines.
Fourth, the normal duty in negligence to take reasonable care looks likely to equate to the ATOMs duty under the GDPR and DPA.
We are starting to see a more business risk-based approach to managing cyber risk. The UK Information Commissioner was reported in July 2019 as saying that the ICO would focus on whether the security to protect people’s data was consistent, adequate, reasonable and effective and commentators have picked up on this as a ‘CARE’ standard for cybersecurity. In the words of one research company, this approach supports the creation of a balance between protection and running the business, embodying the incentive to build better security capabilities that deliver better outcomes, rather than just spending more money on security. This more practical approach will help inform organisations in their security assessments of DT providers and their own cybersecurity duties.
7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
Data protection, and in particular GDPR’s introduction in 2018, has been the catalyst for a more streamlined and process-driven approach to all issues surrounding an organisation’s data, and not just personal data. We have seen more focus on how and where all types of information are stored and used (from personal data to analytics, etc): information security vetting is now commonplace; customers are routinely asking for evidence of standards certifications for information security and data management and copies of data and information audits; data storage and processing locations are contractually recorded; and penetration testing and BC/DR testing are core elements of a standard approach to information security.
From a contractual perspective, data processing terms are entirely standard, as are mechanisms for implementing standard contractual clauses when required to do so if personal data exits the EU and the EEA. Most companies are also considering how best to address a no-deal Brexit.
8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) Waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
It is five years since Microsoft CEO Satya Nadella famously said that ‘every business will become a software business, build applications, use advanced analytics and provide SaaS services’ but it has taken the rise of DevOps for this prediction to start to become a reality.
DevOps can be thought of as Agile+, in other words, moving on from Waterfall, (highly structured, iterative) and Agile (collaborative, evolutionary) to DevOps’ shortened development life cycle (Dev) and continuous delivery (Ops).
Building an effective DevOps function has two main features. The first is an internal HR-related policy approach of empowering individuals in the team (developers, IT operations, management) in a flexible, results oriented environment. The second is ensuring that appropriate governance and best practices are followed by the team for all software it uses and develops.
Third-party software will either be proprietary or open source. For proprietary software, it is critical that the software is used within the scope of the licence granted to avoid over-deployment issues. This is especially important as legacy (on-prem) contracts may not address in-cloud use, and as organisations migrate their development environments to the cloud, aligning use and licence scope becomes key. This is becoming more material as software providers change their licensing policies and increasingly carry out software audits on their customers. Automated Software Asset Management systems are increasingly used to manage this risk.
DevOps relies on the ubiquitous use of Open Source Software (OSS). Although ‘copyleft’ licences have declined in popularity in recent years (the GPL licence family’s share has halved from 60 per cent in 2012) and use of the MIT and other ‘permissive’ licences has increased, the need for an effectively OSS policy for the DevOps team has not gone away.
Finally, organisations should put in place Source Code Management arrangements to record and manage the software developed internally. GitHub is a popular source code repository here.
9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
DT does not happen in a vacuum and takes place when the business is in flight, putting a premium on strategy, planning, governance and best practices around implementation.
Planning the organisation’s cloud journey is critical, and the dependencies in DT projects are a major source of execution risk. Delays in one project will have a knock-on effect on later projects, increasing time and costs. DT governance arrangements should ensure individual projects are managed within an overall framework, where sequencing, dependencies and relief events are robustly addressed, and a common approach to reporting, information sharing and testing is put in place.
While data protection is still the foundation of data management, organisations are increasingly looking at data ‘end to end’ through the lens of policy considerations, based on data value (quantity and quality, measured by context and timeliness); cost (storage, maintenance and disposal); risk (based on data sensitivity classification); and constraints (including contractual, regulatory, privacy, IP and commercial).
Looking through this lens, data use cases are parsed in different ways, between data that is ‘human impacting’ and ‘human non-impacting‘; data used for input, processing and output; and data used internally and externally.
Different sets of standards and automated checklists will then apply to different use cases segmented according to these criteria.
This business risk-based approach to managing data and risk is also reflected in a more pragmatic regulatory approach to cybersecurity. In an interview in July 2019, the UK Information Commissioner was reported as saying that the ICO’s focus was on ‘whether or not there was adequate, reasonable, consistent and effective data security to protect people’s data.’ This more practical approach will help inform organisations in their security due diligence assessments of DT providers.
As software development moves centre stage, effective internal policies around software asset management (ensuring proprietary third-party software is used within licence scope), open-source software (managing residual risk around copyleft/inheritance) and source code management (for internally developed software) are becoming critical.
The Inside Track
What aspects of and trends in digital transformation do you find most interesting and why?
For lawyers, DT represents the intersection of law, regulation, technology and business and the scale and pace of the changes we are all living through means the area is incredibly diverse and rapidly changing. You can be looking at intricate, detailed contracting points on IP or liability one minute, advising on contract management and governance the next, and looking at knotty regulatory points around data and cybersecurity the next. The variation – between sectors, different areas of black letter law and the practicalities of getting the deal through – and bringing our wide-ranging experience to bear for clients is hugely stimulating.
What challenges have you faced as a practitioner in this area and how have you navigated them?
Advising effectively on digital transformation means four main things. First, understanding a wide range of technologies – cloud, AI, big data, analytics, outsourcing, GDPR, cybersecurity (the list is pretty much endless). Second, understanding the ins and outs of intricate contracts at all levels of the technology stack. Third, deep knowledge of an incredibly broad and rapidly changing range of law and regulation. And fourth, bringing all this together for the client on their digital transformation journey. So the challenge – and the stimulus and satisfaction – is all about constantly learning to learn and get better in each of these four areas.
What do you see as the essential qualities and skill sets of an adviser in this area?
As well as understanding the tech, the contracts and the law, you need to be able to bring all this together for the client. You need to be able to see the big picture of where the client wants to go, as well as the detail of each step along the way so you can help the client navigate the digital transformation journey and get the deal done. Experience really helps, and lawyers’ analytical but practical mindsets, as well as the soft skills and negotiating skills are qualities that clients really value in the complex projects.