Tuesday, 2 October 2018

Avoiding vendor lock-in with cloud solutions? six practical tips

Yesterday I posted feedback on Marsh & McLennan´s and FireEye's study that found that "companies in the European Union take three times longer than the global average to detect a cyber intrusion" and stated that this issue should also be taken into account in the financial sector outsourcing, e.g., due to diminishing control arising out of cloud infrastructure. 

Today I read about cloud strategies and vendor lock-in which actually gives an interesting angle to the above topic, and therefore I decided to write about this. The issue is topical also because Gartner forecasts that worldwide public cloud revenue will grow 21.4 percent in 2018 (see here). So to the main question: is it possible to retain more control and avoid vendor lock-in with cloud solutions?  Here it should be noted that term "control" is multi-faceted and in the financial sector this term also relates to the control exercised by financial supervisory authorities (FSAs) over their regulatory subjects. Here we do not address control from that perspective, but think generally about customer-purchased cloud services.

There are at least five main issues one should consider:
  • Due diligence, like in any case involving business-critical vendors: create a process for the selection of the cloud service provider and most importantly determine your goals;
  • Consider a multi-cloud strategy to avoid a single vendor scenario (read more from here);
  • Require an exit plan and check out potential costs;
  • Pay attention to data portability and ensure that you have an easy way of extracting the data;
  • Consider container technology or configuration tools (read more here)
From the contractual perspective we see more and more clauses of the type "no vendor lock-in" that  naturally also serve their purpose. These are slowly becoming a standard in diligently drafted ICT acquisition templates (although surprisingly many Finnish companies have not yet implemented this as a standard models). It might be an issue for a prudent drafter to consider updating. However, as we all know, most popular cloud agreements are still heavily beneficial for the cloud service providers and the reality for having this kind of additional clause in your company agreement may turn out to be impossible task. One could address this issue when dealing with managed service vendors or similar cloud brokers implementing your solution.

Splendid continuation for you cloudy day in Finland! Personally I head to Rome to enjoy IBA's 2018 conference and hopefully seeing many of you there as well!

Jan

Wednesday, 30 May 2018

Five Cases how Succesful Transactions are Created

Many studies indicate that even as high percentage as 70-90% of the M&A deals fail and often there are human elements behind. But given the percentage is as high as this one it is interesting to evaluate the opposite, when acquisitions actually create additional value?

Typical ways of value-creation include for example:

1. excess capacity removal from the market;
2. talent acquisition creating costs-saving;
3. tech or IP acquisition creating cost-savings (if compared to, e.g., in-house development expenditure, licensing also worth considering);
4. performance improvement or exploitation of industry scalability; and
5. successful selection of early-stage high-growth companies.

In the current economic environment where there are political risks, global economy is suffering turbulence, interest rates are low but valuations are high, some of the above "success types" are even more difficult to execute (depending naturally on the buyer's strategy).

Based on our experience from the past deals, in particular from tech & digitalisation -driven exercises, also different kind of legal insight and business acumen is required so that legal would contribute to this value-creation process in the optimal way!

As an example, in one of the exercises involving outsourcing of a tech team of very high-profile experts, we involved the personnel to the deal-making process in an exceptional way just to ensure that these persons, although subject to divestment but who are at the same time our crown-jewels, are motivated and incentivised appropriately. The end result was successful, but needed to be carefully planned to avoid unnecessary complications (as if M&A process is not sufficiently complex on its own).

So think, how do you plan to create additional monetary gains from M&A? Should you be interested in hearing our views how we secure this and create even more, feel free to contact and we are pleased to tell more!

Regards,

Jan

Friday, 27 April 2018

Onko väite “cookiet käsitellään vasta ePrivacy Regulationissa” totta ja mitkä ovat 5 keskeisintä korjauskohtaa?

Yllä mainittu väite tulee usein esille yrityksien kanssa keskustellessa. Lähtökohtaisesti väite sisältää kaksi erillistä kysymystä: a) millä edellytyksillä cookie tai kotimaisesti eväste on tietosuoja-asetuksen mukaan henkilötieto itsessään tai yhdessä muiden tietojen kanssa; ja b) miten cookieihin tulisi GDPR:n aikana suhtautua vai tarvitseeko? Tässä käsitellään jälkimmäistä eli tulisiko evästeitä koskevat ohjeistukset uusia jo nyt vai voiko asian käsittelemisen siirtää tulevaisuuteen noin vuoteen 2020, kun ePrivacy ehkä tulee voimaan? 

Mitä cookiet ylipäänsä ovat ja miten ne toimivat? Teknisenä johdatuksen aiheeseen ohessa eräs verkosta löytynyt sitaatti:

"Cookies allow a Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs.

For example, a Web site might generate a unique ID number for each visitor and store the ID number on each user's machine using a cookie file.

If you type the URL of a Web site into your browser, your browser sends a request to the Web site for the page (see How Web Servers Work for a discussion). For example, if you type the URL http://www.amazon.com into your browser, your browser will contact Amazon's server and request its home page."

Evästeet alun perin kuuluivat sähköisen viestinnän tietosuojadirektiivin alaan (direktiivi 2002/58 / EY ja vuoden 2009 päivityksestä, direktiivi 2009/136 eli ns. "ePD"). Siitä tuli EU: n jäsenvaltioissa kansallista lainsäädäntöä asteittaisella täytäntöönpanolla johtaen kansallisiin eroihin ja toisin sanoen melko epäyhtenäiseen täytäntöönpanoon eri maissa. Tietoyhteiskuntakaaren 205§:n mukaan: 

"Evästeiden tai muiden palvelun käyttöä kuvaavien tietojen tallentaminen käyttäjän päätelaitteelle ja näiden tietojen käyttö on sallittua palvelun tarjoajalle, jos käyttäjä on antanut siihen suostumuksensa ja palvelun tarjoaja antaa käyttäjälle ymmärrettävät ja kattavat tiedot tallentamisen tai käytön tarkoituksesta. Edellä säädetty ei koske tietojen sellaista tallentamista tai käyttöä, jonka ainoana tarkoituksena on toteuttaa viestin välittämistä viestintäverkoissa tai joka on välttämätöntä palvelun tarjoajalle sellaisen palvelun tarjoamiseksi, jota tilaaja tai palvelun käyttäjä on nimenomaisesti pyytänyt. Edellä tässä pykälässä tarkoitettu tallentaminen ja käyttö on sallittua ainoastaan palvelun vaatimassa laajuudessa ja sillä ei saa rajoittaa yksityisyyden suojaa enempää kuin on välttämätöntä."



On olemassa useita aloja, joilla nykyinen ePrivacy Regulation luonnos ja GDPR ovat epäjohdonmukaisia ja aiheuttavat näin sivustojen omistajille monimutkaisuutta. Cookiet ovat yksi näistä. Teoriassa GDPR korvaa evästeiden kansalliset lait, mutta se koskee vain evästeiden osajoukkoa, joka käsittelee henkilötietoja, joten muut evästeet kuuluvat edelleen ePrivacy-direktiivin piiriin. GDPR:n soveltamisalaan kuuluvat evästeet voisivat vedota oikeusperustaan, joka ei ole suostumus, josta ilmeisimmin oikeutetut edut. Koska suostumus on ainoa oikeusperusta voimassa olevan ePD:n sisällä välttämättömiä evästeitä lukuun ottamatta, syntyy mielenkiintoinen tilanne, jossa ei-henkilötietointensiivisellä evästeellä, esimerkiksi eväste tallentaen tietoja näytön koosta, voi olla GDPR:ää tiukempia suostumusvaatimuksia. Tämäntyyppinen eväste ei tallenna riittävästi tietoja, jotta sitä pidettäisiin henkilötietoina, joten GDPR ei sovellu, mutta se ei myöskään todennäköisesti ole "ehdottoman välttämätöntä", sillä sivuston tarvitsisi vain nämä tiedot yhteen istuntoon. Se voi olla hyvä optimointia ja suorituskykyä varten, mutta se ei ole "välttämätön eväste".

Miten käytännössä GDPR:n voidaan arvioida vaikuttavan henkilötietointensiivisiin evästeisiin käytännössä ja mitkä viisi asiaa tulisi huomioida evästepolicyjä mietittäessä:

1) Implied consent eli "käytökseen perustuva suostumus" ei riittävä
2) Suostumuksen tapauksessa oltava oikeus peruuttaa
3) Peruutuskeinon oltava yhtä helppo kuin suostumuksen antamisen
4) Evästepolicyjen uusiminen huomioiden edellä kuvatut lainsäädännön jaon mukaiset erityyppiset cookiet tuntuu perustelluimmalta vaihtoehdolta
5) No track – asetuksia kunnioitettava

Nyt ei muuta kuin uusimaan cookie policyjä ja samalla erinomaista Wappua kaikille! Lisätietoja cookie policyistä ja niiden uusimisesta tästä linkistä!

Yt.

Jan


Tuesday, 27 March 2018

On the role of M&A and transactional lawyer: what is most important for customers?

Having led multiple M&A transactions and IT project negotiations as well as had lengthy discussions with clients representing a variety of industries, I thought that I would share some ideas which, according to my experience, seem to be distinctive features of a good transactional lawyer and what will be required from us lawyers in the future.

It is always a good thing to keep in mind your focus as a lawyer, and a transactional one in particular. As Coates puts it, “[we] advise, negotiate, document and process” and, if possible, we do it in advance by contractual means. The main points:
  • In practice, this means advising clients about risks, how, for example, contract law allocates risks, and then modifying the setup to allocate those risks to reflect the requirements of the case.
  • There is no such thing as a perfect contract and there are always some risks that are not seen in advance and in some cases the best option is to leave certain risks to be handled by law.
  • Moreover, even if you foresee a risk, it might be very simple to allocate it, yet very difficult to enforce, so you need to understand both allocation and enforcement in order to give solid advice.
At its best, a contract is, however, a magnificent tool to add value to the customer and, as Gilson refines it, “what business lawyers do has value only if the transaction on which the lawyer works is more valuable as a result”. Simple and easy to agree. This will be even more so when artificial intelligence will develop and expand to new territories and starts to replace us lawyers in routine document reviews.
The future lawyer must be closer to the business and be truly a trusted advisor of the customer rather than carrying out different independent assignments from client to client. That is our focus at TRUST as well, to be more intensive with our clients and use extra effort to understand their business to show and create measurable value!
Splendid continuation for your spring and happy Easter!
Regards,
Jan

Monday, 11 December 2017

Negotiating Enterprise Cloud Agreements — 3 Key Points

In essence, purchasing cloud solutions is a simple process: just go to the site of your choice, place an order and pay by credit card. Businesses, however, often prefer a higher level of customisation in the solution, and another the key element is that these enterprise level agreements give the group better overall visibility to ‘cloud spend’ and capacity optimisation.

Personally, I also call for a cloud strategy in which an organisation identifies the solutions that utilise cloud technology and combines these under a single umbrella, creating a consistent approach to public cloud while creating cost efficiency. As an additional benefit, this reduces compliance risks relating to personal data. This can be achieved if, for example, all solutions or at least the maximum possible proportion of the solutions are within one clearly identified scheme as opposed to having bits and pieces of the data spread across the world in data centres run by various third parties.

What are the top three points to keep in mind when starting the negotiation on cloud services?

1. There is usually no minimum payment commitment. You can always buy as much or little as you want. Also even if there is a ‘risk’ that vendors often retain the right to introduce fees or change prices, you typically have the right to terminate for convenience so it is not truly a risk that you would have “lock-in problem” with higher fees. Also as the largest players are in any case in dominant market position so they treat you equally with others which also gives comfort to you.

2. Service levels are standardized and there is typically zero flexibility. This is an obvious downside but, similarly, if you wish to have a bag of concrete from your local hardware store, you always have certain limitations. You can choose a small bag or a big one but you cannot go in there saying you would like to have exactly 3,700 grams and a quarter-ounce of concrete. There are different vendors for these.

3. What, then, can be negotiated? To exaggerate just a bit, the answer is ‘everything else.’ In any case, these enterprise agreements contain several points that can be negotiated while keeping in mind the above, such as, termination periods if you are afraid of business continuity in case more business-critical data is put into cloud environment.

We have at TRUST made cloud negotiation packages under which we have standard comments for AWS, Azure and similar cloud solutions most often considered by large corporations - feel free to drop us an e-mail if you are interested.

Regards,

Jan