Tech projects – managing the principal risks to maximise opportunities

The pace of development in the tech sector is ever accelerating. Generative AI and large language models (LLMs) have become ubiquitous in our vernacular; cloud computing and SaaS solutions have increased in prevalence with the share of enterprises within the EU buying cloud computing in 2023 having increased by 4.2% since 2021¹; connectivity is an increased focus point with the UK government setting a new headline ambition for the UK to have nationwide coverage of standalone 5G to all populated areas by 2030; and significant investment and advancements made in quantum computing are highlighted by the UKRI Technology Missions Fund and the UK’s National Quantum Computing Centre investing GBP30 million into projects that will deliver quantum computing testbeds, based on diverse hardware architectures, by March 2025.

With the scale and speed of recent tech developments, it is increasingly likely that businesses will undertake experimental and/or large-scale technology implementation programmes. With that in mind, it is worth revisiting the principal risks businesses need to manage to maximise the incredible opportunities made available by large scale tech projects.

 

Considerations to bear in mind when implementing tech projects

Making sure the contract reflects the desired outcomes

To deliver the opportunities from transformative projects, businesses should utilise technical teams early on to ensure that a project can produce its desired goal and go live in the desired form. A large part of this preparation is developing a clear set of requirements, budgeting effectively and using technical expertise to plan for and resource the manpower required to achieve a realistic timetable that is embedded into the contractual framework.

The legal framework should clearly communicate the scope of what should be delivered, and how, and payment milestones should be used to ensure timetable objectives are met. Contractual protections should also tackle delay, such as delay payments, a robust liability regime, governance and clear dispute resolution mechanisms requiring engagement between senior personnel.

Intellectual Property and Data Ownership

General

In any large-scale tech project, clarity as to the use of each party’s intellectual property and any requirements for third party intellectual property licenses is incredibly important. Whether it relates to newly developed, background or third-party intellectual property, detailing the rights that attach to each category of property, the identity of rights holders and providing a mechanism to resolve disagreements in relation to intellectual property provides parties with protection from uncertainty and debate. Clearly if a customer does not obtain, contractually, the necessary rights, it will undermine the entire purpose of the project. The use of open-source software licenses should be reviewed and considered in the context of the tech project to enable risks to be assessed and, to the extent necessary, mitigated.

When using AI

The increasing use of AI within a solution or as the solution itself presents a new positive on traditional issues, as well as a new framework of risk and, potentially, legal requirements. Understanding how models are trained, the “traceability” of decisions, the possibility of bias and the IP position will be key, and will need to be carefully articulated in the agreement via new and different provisions.

For particular use cases, the right level of governance and understanding of emerging legal frameworks (such as the EU AI Act) will be important internal considerations but these will also need to flow into any contract with a supplier to ensure the risks are adequately managed.

Data Privacy

The value of data, much of which will be categorised as personal data, increases as the tools and software that can manipulate and interrogate this gain greater sophistication. It is crucial to understand not just what one is permitted to do with data (in line with data protection legislation) but what the inherent value of that use could be, especially if granting rights to a third party to exploit it. Focussing on derivatives for example is increasingly important. Businesses need to be transparent about their data usage and their methods of collection and storage. The usage of personal data should be considered at all stages in the lifecycle of a tech project.

Businesses should ensure that:

1. Data Input: Any data input into software or used to train models complies with Data Protection Legislation and the UK GDPR regulations around usage authorisations.
2. Data Privacy Responsibility: The parties set out in contractual agreements the allocation of data privacy responsibilities, the scope of such responsibilities and mechanisms for enforcement if a party fails to comply with its obligations.
3. Security: Any hardware and software used within a tech project is sufficiently robust and secure to withstand attempts to compromise the system.
4. Data Output: The parties should clearly state what the output of any tech system can be used for, to prevent unlawful dispersal or usage that would lead to infringement of legislation and/or individuals’ rights.

Governance

The importance of effective governance structures in any large-scale tech transformation project is highlighted by the prominence it is given in the context of AI adoption.

Governance has been ranked as a critical AI challenge by 99% of DLA’s 2023 AI Report respondents yet at the same time 50% of respondents working in the technology sector do not believe that governance should hold back AI progress. This is unsurprising and reflects a longstanding desire for businesses when handling new technological advances. It can be hard for businesses to define good governance in a developing and uncertain field. There is an increasing importance in implementing governance policies and infrastructure when effecting new tech deals.

The EU AI Act, the UK government and regulatory approach plus the requirements in all other countries demonstrate how complex this issue can be for AI solutions.

The importance of governance is not limited to AI adoption. In its recent working paper, A Shared Vision for Digital Technology and Governance², the United Nations Development Programme reiterated the importance of governance in contributing to inclusive, safe and equitable outcomes of digitalisation and digital transformation. The need for governance is heightened in large-scale tech transformations within risk adverse sectors, such as healthcare and education, where public safety and risk mitigation are core aspects. This is just one example of where comprehensive governance procedure is key.

Further, the scope of businesses caught by regulation of the tech industry appears to be increasing. It has been proposed, pursuant to, for example, DORA and the Financial Services and Markets Act 2023, that critical third-party technology providers will be brought under financial regulation and be required to follow a range of rules on governance, operational resilience, and regulatory engagement. Increasingly, liability stemming from regulatory requirements is at the forefront of the minds of businesses and with it the need to ensure governance infrastructure is present and robust.

 

Conclusion

Every company is now – to a greater or lesser extent – a technology company; harnessing technology and transformative projects. The contract can and should be an important tool to enable the parties to understand the project, scope it, establish the guardrails and establish a service that can be used in the longer term.

---

¹Cloud computing - statistics on the use by enterprises
²A Shared Vision for Digital Technology and Governance: The role of governance in ensuring digital technologies contribute to development and mitigate risk