Governance and Best Practice on the Digital Transformation Journey
Digital Transformation has received a hefty shove online in 2020, but DT projects can come off the rails without proper planning, governance and best practices. Richard Kemp, partner at Kemp IT Law, looks at how the legal team can contribute to successful DT in the organisation.
This blog was first published as part of the white paper companion piece to our Digital Transformation webinar on 10 September 2020.
Digital Transformation (‘DT’) – the investment in technologies, people and processes by an organisation to optimise its digital business capabilities – was already top priority for CIOs in 2019, and has been accelerated in 2020 by the pandemic in a way few could have foreseen six months ago.
The adaptation to working from home in response to lockdowns in the spring, the growth surge of BigTech since then, and innovation demonstrably moving from the lab to the mainstream have all contributed to a hefty shove online this year and a growing recognition that there really is no sustainable long term offline alternative.
But DT doesn’t happen in a vacuum and takes place when the business is in flight, putting a premium on visioning the change and strategy, planning, governance and best practices around implementation. The legal team has a lot to contribute in each of these areas.
The genesis of DT projects is typically a report, highlighting (externally) how customer expectations are moving on and (internally) how current IT falls short: infrastructure may be nearing end of life; architecture may not address evolving security threats; IT resources may be deployed piecemeal and delay time to value; and limitations may lead to growth of shadow IT outside existing governance.
Analysis will focus on (external) customer-facing objectives of enhancing engagement, experience and solutions and (internal) people-facing objectives of empowerment and communication, and the articulation of a coherent, unifying vision.
The DT cloud journey and governance
The cloud is the great enabler of DT, and the vision is generally implemented through cloud architectures (increasingly, hybrid, public and private), frequently at all levels of the cloud stack (data centre, network and server infrastructure, software platform and software as a service) and integrating external and internal IT services seamlessly and speeding up time to value.
Planning the organisation’s cloud journey is critical and charting implementation is in many ways down to the nuts and bolts of effective supplier management. Very often, there’ll be a consultancy piece at the outset around service definition and procurement, and the legal team should have a seat at the table where the details of each procurement and due diligence, timings, dependencies and risks between the individual constituent contracts are all assessed and aligned.
The dependencies in large scale DT projects can be a major source of execution risk. Some SaaS providers will use their own professional services (‘PS’) businesses for configuration, migration, sizing and deployment, but others will leave them to third parties, so you may have a number of different suppliers – existing system, new SaaS, PS and perhaps auditors – on just one project. SaaS projects may be preceded by a data centre, IaaS (infrastructure – networking, compute, storage) or PaaS (non-application software) project, and any delays or performance shortfalls in one of these may have a knock-on effect on the SaaS implementation, increasing time and costs. Where the output of a SaaS project is customer-facing, SLAs in customer agreements may be at risk through delays or failures elsewhere in the contractual ecosystem.
DT governance arrangements should ensure individual projects are managed within an overall framework and, where sequencing, dependencies and relief events (delay by supplier A means that supplier B will also be late) are robustly managed. It may not be possible to get the customer’s project methodology adopted by all parties, but common standards on, or at least a common approach to, reporting, information sharing and testing are critical. The legal team has a natural part to play in DT governance at each level, as well as holding the pen on the contract negotiations themselves.
Data and Risk
GDPR compliance continues to drive governance and best practices in the area of personal data, especially in sharing data between organisations, where market practice is starting to be much more granular about the boundaries between processor and controller and, in the controller context, what constitutes a joint controller relationship. The striking down of Privacy Shield in July 2020 has led to a closer attention to international transfers and the Standard Contractual Clauses.
Whilst data protection is the foundation of data management, the widespread adoption of AI has added a multiplicity of AI ethics frameworks, governance models and best practice statements which can be confusing in practice. Looking at data governance in the round, organisations are increasingly analysing their data estate through the lens of policy considerations, based on data:
value: quality and quantity of data, measured by context and timeliness;
cost: of storage, curation, maintenance and disposal;
risk: based on data sensitivity classification; and
constraints: contractual, regulatory, privacy, IP, HR, commercial interests and societal.
Looking through this lens, data use cases parsed in different ways:
between data that is ‘human impacting’ and ‘human non-impacting‘;
between for data used for input, processing and output;
between data used internally and externally.
Different sets of standards and automated checklists will then apply to different use cases segmented according to these criteria.
Cybersecurity and Risk
This busines risk-based approach to managing data and risk is also reflected in a more pragmatic, albeit outcome based, regulatory approach to cybersecurity. In an interview with the Wall Street Journal at the time of the announcement of £99m Marriott and £183m BA fines in July 2019, the UK Information Commissioner was reported as saying:
“Our focus is whether or not there was adequate, reasonable, consistent and effective data security to protect people’s data … [W]e look at whether or not doors were left open to make it easy for cyberattacks, whether or not the attack was foreseeable, what kinds of due diligence and steps were taken in the data security program. … So many of our investigations are finding basic or a lack of cybersecurity hygiene, lack of some of the most basic protections that people would expect …”
Slightly rearranging Ms Denham’s descriptors, Gartner has come up with:
“[i]n these four characteristics are a myriad of opportunities to do what is best for the organization. It supports the creation of a balance between protection and running the business. It also embodies the incentive to build a better security capability that delivers better outcomes, not just spend more money on security.”
This more practical approach will help inform organisations in their security due diligence assessments of DT providers.
DevOps and Risk
It’s 5 years since the CEO of Microsoft famously said that “every business will become a software business, build applications, use advanced analytics and provide Saas services” but it’s perhaps taken the rise of DevOps – combining shorter development cycles (Dev) and continuous operational delivery (Ops) – for this prediction to start to become a reality.
As software development moves centre stage for business, and organisations increasingly use their own apps and APIs in enhancing the customer experience, effective internal policies around software asset management (ensuring proprietary third party software is used within licence scope), Open Source Software (managing residual risk around copyleft/inheritance) and source code management are critical.
A clear and effective role for the legal team in governance, risk management and best practice around the DT cloud journey, data, security and DevOps will go a long way to avoiding project derailments and runaways.
Judgment of 16 July 2020 the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems