I recently interviewed Laura Houston, a partner in our tech group, about the key themes she is currently discussing with clients in the tech and data space. The interview was for Tech Nation, the UK Government funded growth platform we are currently partnering with that supports emerging tech companies in the UK as they scale-up. While it was aimed at early stage ventures, Laura discussed a range of topics which are relevant to companies at all stages of maturity, from a changing regulatory landscape to increased cyber risks and issues new technologies raise around IP protection.
A changing regulatory landscape
The interview opened with Laura highlighting how change is afoot for organisations of any size in the tech sector (despite the media’s focus on regulating ‘big tech’), as law makers around the globe grapple with how to regulate an increasingly digitised world. From updated rules to shore up cyber defences to AI specific regulation at the EU (and possibly UK) level, new laws are on the horizon. “Understanding your legal risks, particularly where these are changing, can help you structure your business in a way that attracts investment and avoids you having to retrofit compliance at a later date with the additional cost, time and risk that this entails.”
Changing data regulation
“Data continues to be a hot topic for many clients, both in terms of data privacy – where the UK Government is currently consulting on ways in which it can simplify some of the current, EU (GDPR)-derived, privacy rules – and also data more generally,” Laura explained. “Here I’m thinking, for example, of some of the developments around data trusts and data stewardship envisaged in the UK’s data strategy.”
The current plans to change the UK’s data privacy laws are interesting for a number of reasons. They signal the UK Government’s intention to reduce red tape where possible and embrace a more innovation-friendly regulatory approach – a sentiment that has unsurprisingly been welcomed by the tech sector.
However, some commentators have noted that not all of the proposed changes will result in a simpler regime, and divergence may create additional work for organisations with both UK and EU operations. Too much change could, in theory, also impact the UK’s data adequacy arrangements with the EU: the agreement which allows data flows across the channel. Other options do exist when it comes to international data transfers (for example, signing standard contractual clauses) but they add, rather than remove, compliance hurdles which new and scaling ventures in particular will want to avoid. Many rely on data flowing seamlessly into mainland Europe and will want the current, frictionless, regime to continue.
Digital regulation beyond data
Laura was keen to stress that digital regulation is about more than just data privacy. “The CMA, FCA and other regulators are concerned about a whole range of tech issues – from algorithmic bias to tech’s impact on operational resilience,” she says.
Regulatory cooperation is more important than ever in areas where regulators have overlapping and/or competing goals to ensure businesses receive consistent messaging from the bodies which regulate them, and that any enforcement action is coordinated. The Digital Regulatory Co-operation Forum (‘DRCF’) has been set up to help manage this. It is a new alliance between the UK’s data, competition, financial and communication regulators to ensure greater cooperation on online regulatory matters.
But what does this all mean in practice? If you are a tech or data business, increased regulatory focus in these areas can be both a good and a bad thing. Innovation-friendly regulation can help open up markets, for example helping drive open data initiatives as we’ve seen with open banking. It can also provide certainty that helps build investment and consumer confidence, as well as providing practical tools to enable businesses to manage the challenge (for example, regulatory sandboxes where organisations can try out new ideas/business models). However, too much or inconsistent regulation and guidance is particularly difficult for scaling businesses, and runs the risk of stifling their all-important innovation. It will therefore be interesting to see how effective the DRCF is in helping to provide a clear, consistent (and, we hope, business-friendly) regulatory approach.
An evolving cyber risk
When asked about some of the most pressing risk issues concerning her clients, Laura cited cyber as being high on the agenda for many boards. Cyber is never far from the headlines (now more than ever), as organisations of all sizes battle an evolving threat that is impacted by technological, geopolitical and legal developments.
Laura noted that clients are increasingly concerned about ransomware and supply chain attacks and that, given developments in the pipeline, those supplying into larger organisations (particularly those offering services into critical infrastructure clients and certain digital and managed service providers) should expect to see an increased focus from customers on their security measures. Schemes such as the newly updated Cyber Essentials certification scheme can help companies demonstrate their ‘cyber preparedness’ to potential customers.
Protecting your ideas
It has always been important to protect the ideas and brand identity which gives a business their USP – whether through “true” intellectual property protection (patents, trade marks, copyright etc.) or signing non-disclosure agreements before discussing ideas. Ensuring employee and agency contracts clearly transfer ownership of any relevant intellectual property to the business also remains as important as ever, and something that investors will be alive to.
However, certain new technologies are testing whether our IP laws remain fit for purpose in the digital age. There have been a number of legal cases, for example, looking at whether an AI machine can be considered an inventor for patent purposes – the answer has broadly been ‘no’. As part of its new AI strategy, the UK government is, therefore, consulting on how the copyright and patent system should deal with AI. Given that IP is a (if not “the”) key asset for many tech businesses, and in light of the growing relevance of AI, developments in this space could impact business models, investment processes and valuations of tech-heavy businesses.
New tech, new risks?
Finally, organisations adopting new tech sometimes struggle with how to fit new risks the tech may create into existing governance models.
“The message here is two-fold,” Laura observed. “Firstly, ensure that good governance models and procurement processes are not ignored simply because new technology is involved – many of the same issues and risks are relevant and can be applied and adapted to the new tech involved. Secondly, understand where the risks do need to be managed differently. Black box AI, for example, creates some unique risks that concern regulators. Any organisation wanting to successfully develop or adopt this kind of technology, or sell it into other organisations, needs to understand what exactly the tech does and how its systems and processes can address any concerns raised.”
In other words – don’t ditch the tried-and-tested governance processes just because the tech is new, but be curious about its specific risks and challenges and be willing to adjust your model accordingly.
Slaughter and May’s work with Tech Nation: We are currently partnering with Tech Nation, and specifically supporting the Future Fifty cohort, Tech Nations’ flagship programme aimed at the most promising late-stage UK technology companies such as Future Fifty alumni Revolut, Deliveroo and Checkout.com. As an advisory panel member, we have been regularly sharing insights (such as this blog) and professional expertise with the Future Fifty cohort, workshops, one-to-one mentoring, networking opportunities and technical training - giving us to chance to put our experience of advising all types of companies over the different stages of their development, and across the spectrum of their activities, into practice.