Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.
What’s the Issue?
Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.
As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.
The United Kingdom government’s Cabinet Office (the central procurement department for central government) is requiring major government suppliers to draft “living wills.” These are intended to safeguard the provision of services to the public sector in the event of the collapse of a supplier.
This measure follows the insolvency of outsourcing provider, and major government supplier, Carillion in January 2018. The well-documented Carillion collapse led to significant debate about the role of outsourcing within the UK public sector, with pronouncements about the extent to which outsourcing for the public sector has “fallen out of fashion.”
A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.
The FCA is the UK’s “conduct” regulator, with a focus primarily on the regular business conduct of financial services businesses, as compared to the “macro” focus (safety and soundness) of the Prudential Regulatory Authority (PRA) – although there is overlap between the stated remits of the FCA and the PRA, and outsourcing arrangements are subject to scrutiny by both bodies.
A shrinking in traditional outsourcing deal volumes since the United Kingdom's EU membership referendum vote on June 23, 2016, is being partially attributed to business caution following the “Brexit” decision.
According to consultants ISG, the traditional sourcing market in the UK pre-Brexit referendum had a deal volume of circa $900 million per quarter. However, the UK outsourcing market has only achieved this level of activity in one quarter since the referendum.
Morgan Lewis partner Barbara Melby, the leader of our technology, outsourcing, and commercial transactions practice, has been invited to present at an upcoming Practising Law Institute (PLI) event, Outsourcing 2018: ITO, BPO and Cloud, in New York City. Barbara’s one-hour presentation will take place Friday, November 2, at 11:15 am. She will discuss intellectual property issues in outsourcing, including the following topics:
- Recognizing and avoiding common IP pitfalls
- Copyright, patent, and trade secret issues from vendors’ and customers’ perspectives
- IP representations, warranties, and indemnities in outsourcing transactions
- Open-source considerations
- IP issues in cloud deals
The presentation is part of a two-day PLI outsourcing event November 1–2 at the PLI New York Center, 1177 Avenue of the Americas (2nd floor), New York. You can also access the event via webcast and various groupcast locations.
To register, visit the Outsourcing 2018: ITO, BPO, and Cloud event page.
One of the keys to building a strong long-term commercial relationship with a supplier is the establishment of a robust governance structure that will help manage daily practices and future business goals. A recent post by advisory firm ISG highlights 10 tips for developing a governance structure that will help customers develop and maintain successful working relationships with their suppliers.
KPMG reported in a recent survey that the top trend for 2018 is the adoption of intelligent automation (IA) as a business strategy. The survey, which KPMG publishes on a quarterly basis, reviews global business services, IA, and related service delivery market trends.
KPMG found that 62% of respondents believe that IA and digital labor are the trends that will have the largest positive impact on the respondents’ organizations in 2018. One of the business concerns driving the adoption of IA is the challenge that organizations have in finding, training, and keeping talent, which was the largest negative trend that respondents predict when looking ahead to 2019.
Join us on February 21 for a dynamic and gripping discussion on intelligent automation (IA) and its impact on businesses and the workforce. Barbara Melby, a partner in our technology, outsourcing, and commercial transactions group, and Victoria Phelan, a managing director of shared services and outsourcing at KPMG, will address such IA topics as
- how IA is changing traditional business models,
- the impact on labor and talent in the workforce, and
- the impact on the services and outsourcing contract.
Just register, and we’ll do the rest!
Join us for a discussion on the five leading trends that will impact outsourcing deals in 2018. Morgan Lewis partners Barbara Melby and Ed Hansen and senior attorney Ada Finkel will address robotics and automation, data privacy and security, big data, customer experience, and business transformation. Specific issues will include
- how to derive benefits from automation technologies,
- crafting provisions to prevent and allocate responsibility for a data breach,
- structuring data rights for business strategies of today and the future,
- new strategies for refocusing on internal and external customers, and
- leveraging the contract process to drive new technologies and business process redesign.
Register for the event and begin 2018 in style!