Guest post, March 25, 2022 5 min read
While much focus is made in the media on regulating ‘big tech’, the reality is that change is afoot for organisations of any size in the tech sector, as law makers around the globe grapple with how to regulate an increasingly digitised world.
From updated rules to shore up cyber defences to AI specific regulation at the EU (and possibly UK) level, new laws are on the horizon. Understanding your legal risks, particularly where these are changing, can help you structure your business in a way that attracts investment and avoids you having to retrofit compliance at a later date with the additional cost, time and risk that this entails.
But how, as a business juggling multiple demands, do you cut through the noise around potential changes and decide – even from a big picture perspective – where to focus your attention? Laura Houston, a tech partner at global law firm Slaughter and May, shares some of the key themes she is currently discussing with her clients in the tech and data space.
“Data continues to be a hot topic for many clients, both in terms of data privacy – where the UK Government is currently consulting on ways in which it can simplify some of the current, EU (GDPR)-derived, privacy rules – and also data more generally,” Laura explains “Here I’m thinking, for example, of some of the developments around data trusts and data stewardship envisaged in the UK’s data strategy.”
The current plans to change the UK’s data privacy laws are interesting for a number of reasons. They signal the UK Government’s intention to reduce red tape where possible and embrace a more innovation-friendly regulatory approach – a sentiment that has unsurprisingly been welcomed by the tech sector.
However, some commentators have noted that not all of the proposed changes will result in a simpler regime, and divergence may create additional work for organisations with both UK and EU operations. While this will impact established businesses and new(er) entrants alike, the latter are less likely to have the same funds and resources to manage it. Too much change could, in theory, also impact the UK’s data adequacy arrangements with the EU: the agreement which allows data flows across the channel. Other options do exist when it comes to international data transfers (for example, signing standard contractual clauses) but they add, rather than remove, compliance hurdles which new and scaling ventures in particular will want to avoid. Many rely on data flowing seamlessly into mainland Europe and will want the current, frictionless, regime to continue.
Digital regulation is about more than just data privacy, Laura is keen to stress. “The CMA, FCA and other regulators are concerned about a whole range of tech issues – from algorithmic bias to tech’s impact on operational resilience,” she says.
Regulatory cooperation is more important than ever in areas where regulators have overlapping and/or competing goals to ensure businesses receive consistent messaging from the bodies which regulate them, and that any enforcement action is coordinated. The Digital Regulatory Co-operation Forum (‘DRCF’) has been set up to help manage this. It is a new alliance between the UK’s data, competition, financial and communication regulators to ensure greater cooperation on online regulatory matters.
But what does this all mean in practice? If you are an early-stage tech or data business, increased regulatory focus in these areas can be both a good and a bad thing. Innovation-friendly regulation can help open up markets, for example helping drive open data initiatives as we’ve seen with open banking. It can also provide certainty that helps build investment and consumer confidence, as well as providing practical tools to enable businesses to manage the challenge (for example, regulatory sandboxes where organisations can try out new ideas/business models). However, too much or inconsistent regulation and guidance is particularly difficult for scaling businesses, and runs the risk of stifling their all-important innovation. It will therefore be interesting to see how effective the DRCF is in helping to provide a clear, consistent (and, we hope, business-friendly) regulatory approach.
When asked about some of the most pressing risk issues concerning her clients, Laura cites cyber as being high on the agenda for many boards. Cyber is never far from the headlines (now more than ever), as organisations of all sizes battle an evolving threat that is impacted by technological, geopolitical and legal developments.
Laura notes that clients are increasingly concerned about ransomware and supply chain attacks and that, given developments in the pipeline, tech startups with ambitions of supplying into larger organisations (particularly those offering services into critical infrastructure clients and certain digital and managed service providers) should expect to see an increased focus from customers on their security measures. Schemes such as the newly updated Cyber Essentials certification scheme can help companies demonstrate their ‘cyber preparedness’ to potential customers.
It has always been important to protect the ideas and brand identity which gives a business their USP – whether through “true” intellectual property protection (patents, trade marks, copyright etc.) or signing non-disclosure agreements before discussing ideas. Ensuring employee and agency contracts clearly transfer ownership of any relevant intellectual property to the business also remains as important as ever, and something that investors will be alive to.
However, certain new technologies are testing whether our IP laws remain fit for purpose in the digital age. There have been a number of legal cases, for example, looking at whether an AI machine can be considered an inventor for patent purposes – the answer has broadly been ‘no’. As part of its new AI strategy, the UK government is, therefore, consulting on how the copyright and patent system should deal with AI. Given that IP is a (if not “the”) key asset for many tech businesses, and in light of the growing relevance of AI, developments in this space could impact business models, investment processes and valuations of tech-heavy businesses.
Finally, organisations adopting new tech sometimes struggle with how to fit new risks the tech may create into existing governance models.
“The message here is two-fold,” Laura observes “Firstly, ensure that good governance models and procurement processes are not ignored simply because new technology is involved – many of the same issues and risks are relevant and can be applied and adapted to the new tech involved.
“Secondly, understand where the risks do need to be managed differently. Black box AI, for example, creates some unique risks that concern regulators. Any organisation wanting to successfully develop or adopt this kind of technology, or sell it into other organisations, needs to understand what exactly the tech does and how its systems and processes can address any concerns raised.”
In other words – don’t ditch the tried-and-tested governance processes just because the tech is new, but be curious about its specific risks and challenges and be willing to adjust your model accordingly.
Laura Houston is a Partner and Natalie Donovan is PSL Counsel in Slaughter and May’s Emerging Tech team. Slaughter and May has a long track record of working with pioneering technology companies, including the latest wave of emerging success stories in the UK tech scene. As well as offering M&A and IPO support as clients look to their future growth strategies, we advise on the critical interplay between the laws and regulatory frameworks affecting specific sectors, such as financial services and healthcare, new technologies and processes, the use of data, privacy, IP, and competition. UK tech companies tend to push boundaries and Slaughter and May is the ideal legal adviser to help navigate the regulatory landscape to deliver innovation. Click here for more information on its Emerging Tech practice and here for digital content on the Lens Blog
