Avoiding legal and regulatory pitfalls in digital transformation projects

September 2024  |  SPECIAL REPORT: DIGITAL TRANSFORMATION

Financier Worldwide Magazine

September 2024 Issue

Digital transformation projects are prevalent across the globe. According to Statista, worldwide spending on digital transformation technologies and services is projected to reach $2.49 trillion in 2024 and $3.9 trillion by 2027. Most companies are replacing legacy systems and have embraced cloud technologies. The use of generative artificial intelligence (GenAI) solutions, while not as widespread presently, is rising rapidly.

We are seeing numerous cutting-edge transactions involving digital transformation. These projects bring enormous benefits to companies, including improved staff and customer satisfaction, increased operational efficiency, the ability to aggregate and analyse data, and the development of new products and services. At the same time, we have seen an assortment of legal and regulatory issues that frequently arise in these projects. These may range from minor issues that can be settled over a phone call to high-priority matters that can prevent a project from getting off the ground or delivery being disrupted or delayed. In this article, we consider some of the pitfalls that lie in wait for the unwary.

Data

Digital transformation projects will involve the use of data in some form. Vendors that are engaged to assist with these projects may often need to be given access to personal data as well as commercially sensitive data in order to deliver what has been agreed.

Where personal data is involved, privacy laws will invariably need to be complied with. According to the International Association of Privacy Professionals, 6.3 billion people worldwide are covered by some form of national data privacy law. Data localisation laws, which require businesses to store or process certain types of data within a certain country, may complicate certain types of projects where data will be stored overseas, such as cloud storage. Additionally, data privacy laws often prohibit personal data being held unnecessarily and require personal data to be afforded a certain level of protection, particularly when transferred to third parties, with additional requirements when personal data is transferred across national borders. Under some privacy regimes, consent is required before an individual’s personal data can be transferred. Where data breaches occur – whether inadvertently or as a result of a cyber security incident – many data privacy laws require data controllers to notify privacy regulators and affected individuals in compliance with strict deadlines.

The risk of not complying with data privacy laws can be significant. In many countries, the financial penalties for non-compliance are calculated based on a percentage of a company’s turnover. The EU General Data Protection Regulation (GDPR) is perhaps the most well-known example of this, with GDPR fines in 2023 alone amounting to a record €2.1bn.

Where a customer engages a vendor to implement a digital transformation project, any failure by the vendor to comply with data privacy laws may not only lead to a contractual dispute but may also result in the customer itself being in breach of those data privacy laws. It is therefore crucial for businesses to be confident about the expertise of the selected vendors and to have appropriate contractual clauses in their project agreements with vendors. Among other things, these clauses should contain appropriate indemnities, require vendors to protect the customer’s data adequately through a combination of physical, technical and organisational measures, notify the customer of any data breaches in a timely manner, and not retain data unnecessarily, particularly after the project has been completed.

In practice, it is also important for businesses to understand all interdependencies and conduct due diligence on vendors to ensure that they can comply with contractual responsibilities. At an operational level, contracts should require vendors to have or develop business continuity and disaster recovery plans, conduct penetration testing to identify vulnerabilities in their digital systems, patch any vulnerabilities identified in their digital systems, and conduct IT security training for staff working on the project. Contracts should also clearly specify the parties’ roles and responsibilities for key items, such as project management, data migration, data quality and user testing.

Sector-specific regulation

Depending on the sector in which a business operates, sector-specific regulation may impose requirements that impact how a digital transformation project can be implemented. Sectors that are heavily regulated in many countries typically include telecommunications, energy, healthcare, defence, insurance and financial services. Failure to comply with these regulations may lead to financial penalties, or directions from regulators to stop work until remedial measures have been put in place.

In particular, outsourcing and operational resilience rules in the financial services sector have, in recent years, imposed increasing requirements for vendor engagement and contents of contracts. These requirements are often difficult to navigate with large, well-established vendors that often expect customers to adopt their standard contractual clauses with little room for variation. These issues should be identified as early as possible in the lifecycle of a transaction so that potential solutions can be explored, or, in a worst-case scenario, parties can walk away from the project without expending unnecessary time and money.

AI

With the rapidly increasing adoption of GenAI solutions, many countries worldwide are implementing legislation to regulate how AI systems are developed and used. The EU AI Act – the world’s first comprehensive AI law – has recently become EU law. New AI rules and laws will be developed in the years to come, and existing ones will be amended and refined.

Digital transformation projects that involve the use of AI will need to comply with AI laws. Contractual frameworks must also be sufficiently agile to account for future legislative developments. What is permissible at the start of a project may no longer be legally compliant as new AI laws come into force.

When negotiating contracts with vendors providing AI-related services, it is important to properly describe the parties’ rights and obligations vis-à-vis the input and output of the AI system. Common issues include ownership of data used to train the AI system, whether the vendor is allowed to use the same data to train its AI model for the benefit of other customers, ownership of the data generated by AI, the separation of data licensed in from that which is generated, system segregation obligations during operation and on termination, and who should bear the risk if third-party rights are infringed. The risk of infringement may be higher when the vendor’s AI system is trained (fully or partially) on data owned by third parties or scraped from websites, and warranties or indemnities regarding non-infringement may have to be sought.

When things do not go according to plan

Digital transformation projects will run into issues. Milestones may not be met, there may be no contractual promise that delivers upon the customer’s actual business or technical needs, service levels may fall below expected standards, or parties may not agree over the scope of deliverables, the contractual implications of any delay, or the interpretation of certain clauses. As pointed out above, new rules and laws which have a material impact on the project may come into force.

To mitigate these risks, it is tempting to contractually allocate or assign fault in situations where things have not gone as planned. Lawyers have an arsenal of weapons for use in these scenarios: indemnities, liquidated damages, step-in rights, rights to terminate, exclusion of liability clauses and uncapped liability clauses are some common options.

However, pointing the finger when things go wrong is not always the best solution. If every unexpected event led to the termination of the contract, triggered an indemnity or ended up with the parties going to court to resolve the issue, most digital transformation projects would be very short-lived indeed. With this in mind, robust project governance processes, change control clauses and alternative dispute resolution mechanisms may allow parties to negotiate problematic issues in good faith and find an acceptable solution. While parties should always ensure that they do not give up any rights under the contract in doing so, it is often better to agree changes to existing timelines and deliverables as a project is executed rather than destroying an existing relationship with a vendor, or having a dispute end up in costly litigation or arbitration.

To ensure that legal and regulatory issues do not impede a digital transformation project, especially one involving novel technology such as GenAI, lawyers and regulatory experts should be consulted at an early stage and should be involved throughout the lifecycle of the project. Their role is to ensure the early identification of any potential contractual issues or regulatory barriers and advise on how these can be navigated or avoided altogether so that parties are protected and capacity for regulatory compliance can be ensured at the outset and for the lifecycle of the project.

 

Justin Davidson is a partner and Kerri Gevers is a counsel at Norton Rose Fulbright, and Jeremiah Chew is a director at Norton Rose Fulbright’s associated Singapore firm, Ascendant Legal LLC. Mr Davidson can be contacted at +852 3405 2426 or by email: justin.davidson@nortonrosefulbright.com. Ms Gevers can be contacted at +65 6309 5408 or by email: kerri.gevers@nortonrosefulbright.com. Mr Chew can be contacted at +65 6309 5414 or by email: jeremiah.chew@nortonrosefulbright.com.

© Financier Worldwide

BY

Justin Davidson, Kerri Gevers and Jeremiah Chew

Norton Rose Fulbright

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.