REFLECTIONS, Oct. 18th – 22nd, 2021

A WEEKLY ROUNDUP OF LEGAL & TECH EVENTS GLOBALLY | Oct. 18th – Oct 22nd, 2021

THIS IS REFLECTIONS, our weekly roundup of events in the legal and technology sector, covering various topics and interesting learning points for today’s professional. If you couldn’t make an event, don’t worry, we probably made it and have all the juicy scoop for your reading pleasure and learning.

Do you have an upcoming event you would like us to know about or attend? OR do you know of one you would like to read about? Send an email to us HERE

BEST PRACTICES FOR OUTSOURCING CONTRACTS – GUIDANCE FOR PROJECT MANAGERS.

During this event, the Speaker, Dr Sam De Silva, a partner at Technology and Outsourcing CMS Cameron Mckenna NabaroOswang LLP discussed Best Practices to adopt while outsourcing Contracts.

In his words, a typical definition of Outsourcing is ‘’ the process of transferring the responsibility for a specific business function from an employee group to a non- employee group which may or may not include the transfer of assets such as personnel’

In terms of a framework for a typical Outsourcing Contract, it is important to outline 

• Roles and Responsibilities
• Route from transition through ‘steady state’ to disengagement
• Risks and Rewards
• Expectation levels
• Mechanics for ‘policing’ relationships

The speaker also discussed about Post contract verification and Due Diligence.

Due Diligence refers to organizations practicing prudence by carefully assessing associated costs and risks prior to completing transactions. Legal due diligence helps determine whether the target company is legally subservient or embroiled in issues

Generally, the legal terms in a contract or other purchase agreements express specifics of the transaction. These may include the length of the investigation period, items to be examined, and the expiration date.

He also stated the need to outline the scope of services or service requirements which are the Functions included, Functions excluded, Dependent services, Assumptions, Input based or Output based which needs to be documented otherwise it becomes a grey area.

Also, the speaker highlighted the Limitations and Exclusions of Liability.

He raised the following questions?

a. What categories of loss can be recovered?

b. How much of it can be recovered?

 He went on to state the ‘best practices’ liability clause:

1. Losses which can’t be excluded by law

2. General Financial Cap

3. Liability phases

4. Different financial caps for different categories of loss e.g damage to property, breaches of confidentiality, intellectual property rights (IPR), indemnities etc.

5. Liability for data breaches and regulatory fines

6. Customer’s liability to service provider

Where a service provider delays performance, liquid remedies can be sort after whereby a certain amount is paid for compensation. The general rule about liquidated damages is that there needs to be a pre estimate of the loss because if there isn’t one, there may be held to be a penalty and therefore unenforceable. Therefore, when doing liquidated damages calculations, one needs to make sure that the estimate put in the contract is an estimated value of the loss. The court will need proof to demonstrate that the parties have accessed the losses likely to occur otherwise it will be unenforceable

In attendance were David Reynolds, the Host, Dr Sam De Silva and members of the BCS Community.

TOPIC: BEST PRACTICES FOR OUTSOURCING CONTRACTS- GUIDANCE FOR PROJECT MANAGERS.

DATE: 20TH OCTOBER, 2021

DURATION: 6:00PM – 8:00PM

SUMMARY

Outsourcing is a business practice in which a third-party is hired as a provider to perform tasks, create products or provide services that would have been otherwise performed, created or provided by its in-house employees.

It is essential to build a relationship of partnership with your outsourcing service provider for the growth of both the parties. Such a relationship can be built by having a clear understanding of the project, respecting each other’s commitments and capabilities, ensuring transparency in work, sticking to the contractual terms, remaining updated on the project’s progress, and acknowledging successful completion of the project’s milestones.

Outsourced projects are susceptible to conflicts since people are unaccustomed to working together and have different values and perspectives. Successful firms invest significant time and energy up front in establishing the “rules of engagement” so that disagreements are handled constructively.

Whatever the type of outsourcing, the relationship will succeed only if both the vendor and the client achieve expected benefits.

GETTING TO GRIPS WITH DATA PROTECTION LAW POST – BREXIT

The first speaker was Sarah Liddiard, she spoke on International Transfers of data, the speaker noted that it involves:

• Adequacy Decision-after assessment by Secretary of State for

• DCMS; or Controller and Processor have put in place appropriate safeguards; or

• enforceable data subject rights and effective legal remedies for

• data subjects are available.

• International Transfers – Appropriate Safeguards

She noted that the most common methods for use by companies are:

1). Binding Corporate Rules.

2). Standard data protection clauses in the form of template transfer clauses adopted by the Information Commissioner and Consent, she however noted that consent might not be the most appropriate method.

On ICO Consultation, she noted that the ICO has Included consultation on International Transfer Agreements (ITAs) from UK to third countries and draft guidance on ITAS.

She noted that proposal on an Addendum to the new EU standard contractual clauses which apply from 4 June 2021 to assist organisations to which both GDPR and UK GDPR apply.

On international transfers and appropriate Safeguards, she noted that until the new ITA is adopted, there will be review of any contract in place with third countries, the “old” European standard contractual clauses may be amended to demonstrate that there is contractual protection in place.

She also noted that If you are a UK data processor transferring data, you have to adapt the standard contractual clauses acting as agent for the controller.

She described Subject Access Requests (SARS) as the right of a data subject to demand and have their information on time. She noted that under the UK GDPR a data subject may make a subject access request for their personal data Personal data or any information relating to an identified or identifiable living individual.

On Policies and Procedures to review and update, she noted that,

• You have to check your international data transfer documentation.

•If you are a data processor of an EEA Data Controller, the controller will require you to enter into new clauses as the “old” standard contractual clauses expire 27th December 2022.

       • Appoint an EU representative if necessary and provide an Annual audit.

On the UK approach to Data Protection and what to expect next, she noted that DCMS consulted on a number of proposed changes including:

1). Removing the requirement to consider whether the legitimate interests being pursued by an organization or third party when processing data are outweighed by the impact on the fundamental rights and freedoms of individuals.

2). Revising the approach to ensuring organizations are accountable and can demonstrate accountability.

3). Removing or amending the requirement to appoint a Data Protection Officer.

She noted that the ICO has Responded by showing “Strong concerns” over some of the Proposals and that the ICO is to engage closely with the Government.

The second speaker started by sharing top Tips on Subject Access Requests (SARS), she noted that under the UK GDPR a data subject may make a subject access request for their personal data Personal data? any information relating to an identified identifiable living individual.

She noted that many factors have to be considered such as, is personal data being processed about the person making the request? The Purposes of the processing, Categories of personal data, Recipients or categories to whom data disclosed, Period which personal data will be retained, Information on the source of the data, Whether automated decision-making (profiling) has been used, Complaints and d disputes: the right to complain to the ICO, request rectification or erasure of personal data, object to processing or to restrict that processing, and  Where personal date is transferred to a third country international organization.

She noted that before you get a SAR, there should be a plan/protocol, you have to understand how different data is held differently in each part of the business, reduce the data you have and train your staff.

She also noted that after you get a SAR, you should send a secured response either hard copy/ digital, audit trail / records – show your, review protocols and systems.