IT Contracts, Cloud and Outsourcing

By Alessandro Ferrari, Giacomo Lusardi and Filippo Grondona

As the digital revolution unfolds and Forbes accounts over half of the global GDP to digitally transform companies by 2023, it should come as no surprise that the global IT spending will increase to an amount of approximately 3.8 trillion dollars by 2020, to reach the peak of 4 trillion by 2021, as reported by Gartner. The open questions remain; which technologies will lead such growth and to what extent will this momentum affect technology-buyers, technology-providers and ultimately lawyers at the beginning of the twenty-first century’s second decade.

Similarly to last year’s trends, cloud computing and IT outsourcing will certainly remain among the most-talked about topics of 2020. The outlined growth trend will be fueled by the booming spread of Artificial Intelligence (AI) based technologies (e.g., machine learning), which is already bringing significant paradigm shifts within a large number of industries. According to Statista, the global AI software market is expected to touch the stunning revenues amount of 118.6 billion by 2025.

Companies of all sectors will thus increasingly rely on IT procurement and on a wide range of IT contracts (i.e., agreements related to Information Technology products and services), both as to their routine business activities as well as to more specific projects.

It is now time to see how these technology breakthroughs will impact the relevant legal practice in the year to come.

1.    Customization will be king

The provision of tailored IT services and solutions will be in every insider’s mind in the next year and in the years to come, giving rise to more customized contracts. The time when just a few providers offered the same standard solutions to all of their customer base appears to already be far behind us. Across the entire spectrum, customers today expect and demand fast, reliable, accessible, and customized solutions from their IT providers. The level of complexity and customization expected by customers is achievable only through the provision of hybrid solutions (i.e., entailing a mix of AI and different cloud technologies, such as edge, public and private), specifically developed to meet the desire and needs of each single customer.

Such customer-centric approach will dramatically change the parties’ contractual relationship, shifting from an output-based to an outcome-based model. Outcome-based agreements require a higher level of collaboration between the parties, which shall clearly identify the goals, milestones, service levels, and pricing models that best fit the technology-buyer’s business. From a practical point of view, this will require service providers to be open to discuss parts of the technology agreements that were previously drafted unilaterally, in order to better meet their customers’ needs and expectations.

2020 will likely see a wide array of new customized IT agreements and the ultimate overcoming of the one-fits-all IT solutions.

2.    Cybersecurity: ever more a burning topic!

Cybersecurity is surely going to be on everyone’s lips in 2020. The shift towards more and more cloud, AI and outsourcing solutions will make cybersecurity a top priority for most of technology-buyers. Thus, the choice of the right technology service providers will be increasingly influenced by the level of security they can guarantee. This is even more significant in light of the huge losses that companies may face in case of deployment of inadequate security measures and security incidents, among which are administrative fines (e.g., under the GDPR), incident recovery costs and potential reputational damages.

Therefore, IT providers will have to stick to the highest standards of security if they want to remain competitive on the market. In the banking and financial sectors, cybersecurity is one of the underlying concerns that led to the revision of the EBA guidelines on outsourcing (and cloud sourcing): we would not be surprised if in the near future additional guidelines will also touch AI contracting, given the cybersecurity implications of this technology.

This “call of security” is already requiring IT providers to adopt cyber-insurance policies with broad coverage and high liability limits, as well as to deploy appropriate and proportionate security measures to guarantee the highest levels of security to their customers.

The momentum of cyber-security and cyber-insurance is also confirmed by the recent steps taken by institutional and standardization bodies, including the issuance – this very year – of a set of guidelines for the purchasing of cyber-insurance, by the International Organization for Standardization (ISO).

In addition, the European Union recently put forward a proposal to set up an EU certification framework for ICT digital products, services and processes that will help service providers to adhere to higher security standards. The purpose of such framework is to create a tailored and risk-based EU certification scheme which will provide a comprehensive set of rules, technical requirements, standards and procedures applicable EU-wide.

It is likely that 2020 will see an increased awareness on cybersecurity from both technology-buyers and providers. Such awareness will lead to the development of more secure solutions and to the adherence to higher security standards that will be reflected within IT contracts. This will also increase the demand for cyber-insurance products and the need for IT providers to pursue certifications and codes of conduct in order to better prove to customers to be reliable from a cybersecurity standpoint.

3.    The rise of non-personal data

On the one hand, this 2019 has been the second year of GDPR enforcement, in which personal data-related issues reached their peak. On the other hand non-personal data are receiving more and more attention, also in light of the increasing relevance of cloud technologies and AI.

The European Union recognized the importance of such data for the businesses’ expansion and the development of innovative products and services for some years now, by taking several actions such as, inter alia, proposals to update the current legal framework in terms of data ownership, fostering the dissemination of open data, and giving guidance to the processing of datasets containing both personal and non-personal data (so called “mixed datasets”).

In addition, a new EU Regulation (No. 2018/1807) entered into force in 2019, with the purpose to remove obstacles to the free movement of non-personal data across the European Union, such as any national legislation which may compel cloud providers to store and process data in a specific country. The EU Regulation on the free flow of non-personal data also encourages companies to develop self-regulatory codes of conduct in order to ease the migration between different IT providers. The increasing number of IT service providers and data formats used within the market will certainly make data portability a hot topic for the IT industry for the years to come. Migration plans will therefore become more and more relevant for technology-buyers, which are likely to require guarantees that the migration is timely, smoothly and effectively performed by the provider, and if not, that any damages suffered are adequately compensated.

If 2019 was undoubtedly another personal data year, we are confident that 2020 will confirm the importance of non-personal data flow as well, specifically in terms of data portability and vendor migration.

To discover more about other trending topics, take a look at the complete IPT legal predictions 2020 booklet at the following link http://bit.ly/2vGImLe.