Shared & Halved – IHL series: IT Contracts for the “New Normal”

On 15th July we held the latest in our series of webinars providing an overview of some IT contract and service types which are likely to be of increasing importance in today’s climate (including Cloud Services, Unified Comms and Agile development), as well as some key issues and risks to be aware of.

Key takeaway points are set out below:

Acceleration of Digital Transformation - main things to think about

• Businesses were already moving from legacy systems and ways of working. Cloud infrastructure and “remote” services were becoming the norm.
• Covid has accelerated that. Many businesses are doing the sort of things that may have taken years to do, in a matter of months or even weeks.
• Some initial considerations:
  • What has the business already signed up for? – Has it entered contracts for new services and systems which the business needed to procure in short order – in some cases –without legal input – but where the legal team will be expected to know / understand the risks.
  • Think about the longer term - Even if there haven’t been short-term / emergency purchases, chances are the business has been re-thinking its plan and may be looking at moving parts of the operation to new products and services in the longer term. What is the business planning to buy or change to be fit for the 21st Century and getting ready for post-lockdown. 
  • New models – Will be business be moving aware from potentially outdated models and services, such as Work Area Recovery.
• Some immediate tips:
  • Keep the legal team informed of what is going on from the start. There may, for example, be regulatory considerations for the client before it can move to a particular service.
  • Make sure you understand the Business’ existing legacy services and arrangements:
    • Level of lock-in  - if you are looking to procure a new system but already have contracts which need to be replaced – is that possible? Have you signed up for minimum commitments already - which could cost money to exit? What do those legacy contracts say about exit? Do you have to serve notice on a previous supplier to get help migrating data which they may hold, to a new service?
    • Existing terms - if the business already has a contract with the supplier of a proposed new service then be mindful of what that says. Does it also cover future orders? Microsoft, for example, often signs “Enterprise” agreements which aim to  cover whatever services the customer may want to buy from them at any one time.
    • How will a proposed new supplier / service “fit” with existing ones - consider any touch points between suppliers and what they provide.

Some key IT contract and service types to get to grips with:

Cloud

• Cloud involves abstracted or remote services / storage of data or software. Client does not physically control the hardware.
• Three main types of Cloud:
  • Public – e.g. Hotmail
  • Private – dedicated server space (e.g. regulated clients)
  • Hybrid - combination
• Advantages include: e better security and resilience (especially from large suppliers), flexibility, scale.
• Disadvantages include: giving up some control of data, suppliers take a “one to many” standardised approach, location, audit and access issues.
• Privacy/ data protection aspect isn’t always considered so needs to be thought about early on by the DPO or in-house legal team.
• Contract issues to consider include:
  • “One to many” means pro-supplier positions (including in relation to exit and  lock-in)
  • Complex terms and documents – may be layers of contracts (including online terms) so need to be very aware of what is included.
  • Linked online documents can often change
  • Data protection and IP
  • Less likelihood of getting negotiated changes – when do may have to have a “side letter”. 
  • Regulatory constraints – especially in Financial Services
• Go in with eyes open and be realistic. Sorts of protections which could be obtained for an “on premise” service may not be available for a cloud service. May need practical mitigations. Think about commercial leverage.
• Traditional assumption that large vendors will be “safe”. What about smaller vendors where cloud may be used. There may not be the same assurances. Market is moving to try to address this. For example, NCC now providing “cloud”/ SaaS escrow arrangements.

“Agile” Implementation and Development

• Increasingly common for businesses which are developing new apps or looking to integrate a new service or system.
• Agile is a methodology – a collection of one or more approaches. About flexibility, collaboration and agility so inherently “anti-contract”. Different to traditional “Waterfall”.
• Agile projects are “bottom-up”. Start with how the end result  should look and work backwards with bursts of activity (“Sprints”) during which development is done to create the functionality. Very collaborative - so a different risk profile with more involvement by the customer.
• Use of important governance documents eg Backlog.
• Agile projects  can be difficult for lawyers to grapple with as different commercials and allocation of risk:
  • Fees can be rates / T&M based
  • Accrued in bursts during the Sprints
  • May be no initial set price – Could mean less risk premium from the supplier but can be a  risk of costs burn without output
• Data protection is sometimes low on the list of priorities but could be relevant if the supplier is using data in development or implementation. New projects need to involve legal early on and have ‘privacy by design’ incorporated into the governance plan for the project. Need someone responsible for privacy at each stage thinking about personal data and how this is risk assessed.
• Contracting tips for Agile projects:
  • Try to maintain some controls eg on timetable and output
  • “Minimum Viable Product”
  • Price caps
  • Retention of charges
  • Termination and “portability”

Unified Comms (and privacy issues)

• Unified Comms include solutions like Zoom, Teams, Skype, Jabber, Webex etc.
• In terms of general contracting, the same issues mentioned above will apply. However these services are a “hotspot” in terms of Data Protection issues.
• There has been a huge shift towards homeworking using these tools, which brings with it an increased risk of cyber-attacks and personal data breaches.
• Explosion in amount of personal data being used, including images captured so includes sensitive data. Even if data is encrypted it is still personal data.
• Really important that you have GDPR / Data Protection compliant contract terms in place with providers – check their privacy information, does it align with yours (disclosures to third parties, location of data)? Do you need to update your privacy policy (employee policy or customer policy or both)?
• Status of the supplier – can be processor on behalf of customer but may also be a controller so important to think about how the supplier is using data and ensure reflected in your own privacy policies (all of the main providers acknowledge that they are also a controller). Some suppliers, e.g. connectivity suppliers, may argue that they are not a processor because they don’t ‘see’ the data, but you need to look at their role (are they responsible for the security of the data whilst in their systems?) and ensure the contract is compliant. Try to be as specific as possible in the contract about whether the supplier is a controller, processor or both. It is sensible to always cater for the supplier being a processor under the contract and to insert the basic protections in the contract rather than risk it being non-compliant.
• Recording of video / voice calls – there is an increased need to inform people and be transparent about how you’re using their data (how are you using the recording? How long will it be stored?). Need to get permission if you’re going to record a call and need to document that permission. (e.g. Zoom has a pop-up feature to request permission for recording, it can also identify who is recording).
• Ownership of data – need to make sure whatever it says in contract that you retain control so can manage subject access requests.
• Location – be aware of where the supplier is storing your data, and make sure your privacy policies reflect this. Under the GDPR if data being transferred outside of EEA additional safeguards need to be put in place (e.g. binding corporate rules or SCCs  Note that Privacy Shield is now invalid for transfers to the US).
• Security of data – who is responsible under the contract. Provider often put onus on the account holder to configure the security settings, so worth bearing in mind and having policies in place for those using the system.
• Exiting the contracts – issues can arise around getting the data back, the format of this, how long it takes to get this back. Also consider termination costs if exiting early (how long do you want to be locked into the contract?).
• DPO and/or legal teams need to be made aware early on of the proposed adoption of new systems so that data protection risks can be considered. The role of DPOs and DPIAs is crucial to demonstrate data protection compliance. A paper trail is key to showing the regulator that you are taking privacy seriously.