What does Digital Transformation mean in terms of legal needs and how can the legal advisor navigate the challeges presented in the lifecycle of a business? Mina Zoulovits, Partner, explains.
Digital transformation of a business, very briefly, means the transformation of a typical process that was performed in the physical environment or with physical tools into a digital process that is now performed in the intangible digital environment and with IT (Information Technology) tools or with a combination of physical and digital environment/tools.
IT tools vary and may differ substantially from case to case, e.g. SaaS (Software-as-a-Service) or PaaS (Platform-as-a-Service) services, installation of new IT system(s) in the enterprise, cloud services, AI (Artificial Intelligence) systems, IoT (Internet of Things) blockchain, etc.
These processes can involve any of the functions of a business. Some of them include:
- The process by which orders are placed by suppliers (e.g. instead of handwritten contracts being signed, they are replaced by electronic signatures or even by submitting orders through platforms with acceptance of terms – “tick the box”)
- The sale of products or services (e.g. when one or more e-shops are added to the physical channels or when sales are also made via a third party platform, via app or even by phone, etc.)
- The recruitment of employees (e.g. by managing CVs through online platforms, conducting simple or psychometric tests by electronic means or even using AI systems to select the right staff or to evaluate them subsequently during the provision of the service, etc.)
- The collection, storage and safekeeping of data (corporate information or personal data of customers or employees) on digital media (e.g. on servers within the company, on third party servers, in the cloud – private or public etc.)
- Digitisation of warehouse systems (ERP – Enterprise Resource Planning) or customer relationship management (CRM – Customer Relationships Management)
- The use of digital media to promote the products and services sold by the business (e.g. advertising on social media and/or using adtech providers, the use of AI systems for data processing and statistical analysis and monitoring of customer behaviour, partnerships with third-party companies or platforms through affiliate marketing, etc.)
Any conversion of a business process into a “digital” operation, based on the technological solution selected each time, certainly implies changes or new conditions in legal management, since the legal framework in which the new digital operation will henceforth be integrated, as well as the corresponding legal risk it assumes, are very different.
These legal challenges that the legal advisor of a company is called upon to manage today could be briefly divided into three main “pillars”:
- strategic preparation for the transition of the business to a digital process
- implementation of the necessary legal documents/policies to accompany/armour the process; and
- crisis management/dispute resolution
In particular:
1) Strategic preparation for the transition of the business to a digital process:
When planning the new digital process, in whichever part of the business it is implemented, the legal issues that may arise should be considered with the objective of:
- rendering the business aware of the issues
- being able to assess related risk
- setting the appropriate specifications for the IT tools to be purchased; and
- being informed of available options
It is obvious that the analysis of legal risks is important as early as at the strategic preparation stage, as it is very closely related to the very objectives / KPIs (Key Performance Indicators) set for the process. Depending on the legal risk that the company wishes to take on, it will also have to take into account certain technical or legal constraints, as well as any additional guarantees that it may wish to obtain in relation to the tool/process in question.
EXAMPLES:
The technical and legal constraints as well as the safeguards that accompany an IT tool to support digital transformation, also have an economic impact on the transition to the digital environment. Some examples:
- Time restrictions on the storage of personal data imposed by the GDPR (General Data Protection Regulation) affect the “storage space” necessary to keep this data (e.g. a shorter or longer storage periods that are mandatory by law reduce or increase the need for more storage space accordingly. Thus the specifications for the IT tool that the company must purchase should be in line with the above requirement).
- The ability of a company to carry out electronic sales may be subject to restrictions, which should be subject to legal analysis as early as during the stage of strategic planning. For example, where a company is a distributor / member of a distribution network, the supplier of the network may have imposed a restriction on its online sales (e.g. allowing sales only through its own electronic platform). Conversely, a manufacturer that maintains a network of resellers and wishes to sell (also) its products directly itself, without the intermediation of its resellers, may be restricted in doing so by its commercial agreements with its existing resellers – e.g. it may not have the right to sell in certain countries because it has granted certain resellers exclusivity to sell products in those countries – which will be infringed if it also sells its products in those countries. It will therefore also be necessary to plan legally how these legal restrictions can be dealt with or how any other legal issues such as unfair or free competition can be resolved.
- Selecting the appropriate type/tool of electronic signature depends on its evidentiary value, i.e. the legal adequacy of the tool in terms of its ability to prove that a contract has been signed or that an invoice has been issued and is duly accepted, so as to enable the legal pursuit of the company’s claims against third parties (counterparties, debtors, etc.). In other words, it is necessary to identify which electronic signature best matches the nature of the contract signed in each case (e.g. employment contract, contract for the purchase of goods from suppliers, contract for the sale of goods to customers, etc.). Is one digital tool sufficient to cover all the above cases or are more options/capabilities required?
Depending on the process that is being “digitised”, legal parameters, available warranties and the risks that business owners are willing to take, must be taken into account and weighed ad hoc, in order to achieve the best possible, safest and most cost-efficient “design” of the process, while at the same time, enabling the business to select the appropriate technological solution / IT tool that can best meet the business needs. The choice of tools that do not correspond to specific legal parameters governing a business operation or the choice of a new technical solution that is not compatible with the technical requirements/procedures of the existing system is very likely to lead to unnecessary costs, as the business will sooner or later be forced to abandon them. This implies both additional costs in the implementation of digital transformation initiatives and long delays in achieving business objectives.
2) Implementation of the necessary legal documents/policies that will accompany the process
Once the company has weighed the above and taken its informed decisions, the legal advisor is asked to implement them with the necessary legal documents and legality procedures that may be required, for example:
EXAMPLES:
- Draft, negotiate and put in place for signature the necessary contracts that will include the necessary contractual clauses to ensure the implementation of the digital process as ultimately designed (e.g., adding terms to employment contracts for telecommuting and the use of telecommunication facilities provided by the company, reviewing franchise/distribution/resale contracts that specify the terms under which online sales can/may be made)
- draft the use and data protection policies of new systems installed to be posted on the company’s electronic media (internally or towards third parties – e.g. drafting the terms of the company’s website that present general information for information purposes about the company and/or updates to its investors/shareholders, drafting the terms of distance selling of its products or services, drafting the terms of its loyalty programs or participation of customers in competitions and other benefits, drafting the terms of use of a platform for its employees etc)
- draft or participate in the drafting of incident management policies and/or implementing procedures required by law, such as providing notifications, obtaining authorisations from competent bodies, taking measures and creating internal procedures for investigating customer/consumer complaints or managing requests from personal data subjects, preparing to deal with cybersecurity incidents, etc.
Therefore, the legal advisor must now be aware not only of the regulatory and legal requirements governing the operation of the business due to the scope of its activity, but also of the legal requirements due to its activity in the digital environment (whether the business has an online presence, makes use of digital tools/services or sells digital products/services).
3) Crisis management / dispute resolution
The digital environment presents many potential risks, both to the business itself and to the third parties that trust its products and services or otherwise do business with it.
EXAMPLES:
- The most significant risk of all is that affecting so-called “cybersecurity“. This term essentially sums up the security of a system from any harmful act or omission that may affect the smooth functioning of the “digital” process as designed. The occurrence of such a risk also requires crisis management or even the resolution of a ‘dispute’, either with a third party making a claim or with a competent authority that may allocate responsibility and fine the company.
- At the same time, there are many other possible situations where a legal issue/crisis must be managed, such as a personal data security incident or a consumer complaint in the context of online shopping or a complaint about the use of content infringing the intellectual property of a third party, etc.
The new legislative developments in Europe and Greece also provide, in any case, for the adoption of internal control mechanisms by businesses, depending on the nature of their activities and the category in which they operate, such as. the designation of a DPO (Data Protection Officer) for personal data, the designation of an internal team and complaint management procedure and the designation of ombudsmen, as provided for by the Platform to Business (P2B, 2019/1150/EU) and Digital Services Act (DSA, 2022/2065/EU) Regulations, the designation of an internal cybersecurity team (NIS 2 – Network and Information Systems Directive 2022/2555/EU) and many others.
The above teams/persons are usually assisted by the legal advisers of the companies in crisis management, who should advise on the best way to manage the legal aspects of the crisis or to collect evidence to deal with it, and (if required) to appear before the competent authorities to defend the company and its procedures.
The management of all the above ‘pillars’ requires in many cases the existence of specialised knowledge of the specific legislation governing the digital environment, as well as an understanding of how the technological applications proposed by the company’s ‘business’ team for the digitalisation of processes operate; this makes it possible to weigh up the risk and take the necessary steps to protect the organisation.
Thus, speed, consistent with the new digital age, and security, consistent with the need to maintain low risk, are required – requirements that should be met by the legal advisors that support the business in its transformation.
The article was published in Greek by the Greek e-Commerce Association, GRECA, to which we are grateful for hosting our article. https://www.greekecommerce.gr/news/member-announcements/digital-transformation-epicheiriseon-ti-einai-kai-poios-o-rolos-toy-symvoulou/