Digital Transformation has received a hefty shove online in 2020. Richard Kemp, partner at Kemp IT Law, looks at the key legal features of the rapidly changing landscape and key DT lawyering and deal 'do's' and 'don'ts'.
This blog was first published as part of the white paper companion piece to our Digital Transformation webinar on 10 September 2020.
Nebulous and potentially boundaryless, Digital Transformation ('DT') can be challenging to articulate clearly. Diving in, we'll define it broadly as the investment in technologies, people and processes by an organisation to optimise its digital business capabilities. To make it more manageable from the legal perspective, we'll distinguish between digital transformation as the journey and digital business - enhancing customer experience and competitive advantage - as the destination. This piece focuses on the DT journey.
Even before the pandemic hit, DT had emerged as the top priority in the organisation for technology initiatives in 2020, with (in roughly decreasing order):
- cloud as key DT journey enabler;
- a much clearer focus on cybersecurity, data protection, compliance and governance;
- increasing investment in data analytics and machine learning; and
- 'always on' software development through DevOps and IT service management as a service.1
Chart 1 – Internet Sales as a Percentage of Total UK Retail Sales, 2007 - 2020 (Source: ONS)
The COVID-19 pandemic has accelerated these trends in a way unforeseeable at the start of 2020. How UK internet retail sales have grown illustrates this well. Taking internet sales as a proportion of total UK retail sales, it took four years for online sales to double from 5% to 10% (2008 to 2012), and another four to get to 15% (Q4 2016). But it then took only two years to reach 20% (Q4 2018). In April 2019, Mr Mark Carney, Bank of England Governor, was saying "last year one fifth of all sales in the UK were online. Next year, it will be one quarter"2. In fact, as Chart 1 shows, it has taken just eighteen months to get from 20% to 30% (Q2 2020).
At the macro level, the combination of strong internet growth in 2018 and 2019, physical retail lockdown and a hefty shove online in 2020 is behind these figures. The acceleration of these trends in the high street stands as proxy to other sectors, whether the pandemic is a challenge (travel, leisure, hospitality) or an opportunity (healthcare, financial services), as well as to other walks of life, like legal services, where DT is starting to make a real difference.
DT isn't occurring only in vertical sectors however. The cloud is a powerful DT enabler, whatever the sector. And horizontal areas that until very recently were the province of large numbers of human boots on the ground are now being cloudified and automated. Nowhere is this more pronounced than in cybersecurity, where automating and 'cloudifying' incident detection and response, privileged access management and data loss prevention is starting to remove some of the compliance and governance headaches, or at least enabling them to be managed in a more structured, proactive way.
What are the key legal features of this rapidly transforming digital landscape? We can break them down into two - key DT lawyering 'do's' and 'don'ts', and key DT deal 'do's' and 'don'ts'.
DT lawyering do's and don'ts
On the DT lawyering front, and as DT projects take up more of an organisation's resources, it's all about clarity, scope definition, relationships and objectives. From our seat deep inside the fourth industrial revolution, the range and speed of adoption of new IT techniques rippling out across business can appear daunting - 5G, Web 3.0, Smart APIs, AI/ML, IOT, DevOps, blockchain, cloud and mixed reality to name but a few. But getting to clarity around what the tech does is an essential first step towards being able to scope it out and apply legal principles to it: clarity of legal analysis based on genuine understanding of the tech is a prerequisite for the team effort.
Along with understanding the tech goes the legal team's stakeholder role in helping shape the organisation's strategy, policies and processes around DT, particularly in the areas of designing in compliance (privacy and data protection, cybersecurity, sector specific regulation), end to end data governance and DevOps' 'always on', shortened software life cycle. Writing up the foundational documents - from the vision, through the policy to the detailed processes - clearly and concisely and communicating them effectively enhances buy-in across the organisation.
DT deals do's and don'ts
The legal team's role in DT compliance and DT deals gives it an enabling role in managing DT projects - whether strategic or tactical deals or strategic compliance - and in setting agendas and objectives.
On the DT deals front, cloud due diligence, procurement and contracting are now in the mainstream, but as we move to 'everything as a service' (XaaS), understanding the basics of the different cloud service models (SaaS, PaaS and IaaS) and delivery models (public - a room at the provider's hotel; private - my own room; and hybrid – combination) remains the first step (see Chart 2).
As the business models and contracting approaches of the major SaaS players mature, it's becoming increasingly common on a single larger DT project to deal with the core SaaS provider, the professional services implementation partner and one or more providers of contiguous services. How the customer defines scope and shapes the contract structure is critical. It may be impractical to get all parties involved to sign up to one contract, but in a series of bilateral contracts, aligning the dependencies between different providers puts a premium on effective contract management. Establishing from the outset common approach to project methodology, reporting standards, testing and structuring relief events can make all the difference here. In passing, AI as a Service (AIaaS) deals are becoming increasingly popular, and aligning the customer's and the provider's ethics and data policies can be a challenge.
Chart 2 - The Cloud Continuum
A coherent and consistent approach to data in DT deals is critical. We're not just talking about data protection and cybersecurity compliance - key though they are - but also a more standardised approach to data governance that looks at data both as corporate asset and as a source of potential risk or liability.
As software development moves centre stage, with many organisations using their own apps and APIs in enhancing the customer experience, we're moving away from the structured, sequential waterfall model, past Agile and towards DevOps, combining shorter development cycles (Dev) with continuous operational (Ops) delivery. In this world, effective internal policies around software asset management (ensuring proprietary third party software is used within licence scope), Open Source Software (managing residual risk around copyleft/inheritance) and source code management are critical.
Lawyering DT is becoming a core part of the organisation's skillset in successfully responding to the great shove online, and lawyers' unique combination of skills - getting to grips with the technology, applying evolving legal principles to how it's contracted for and used, formulating strategy and policy, communication and relationship building - will continue to play an important role in ensuring that success.
1. See for example Flexera 2020 Digital Transformation Planning Report, page 3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.