It is a common refrain that “regulation is back”. While many will dispute that it ever went away, it does seem true that the nature and level of industry-specific regulation has ebbed and flowed over time. In the modern era, we can chart the laissez-faire, “big bang” approach of the 1980s, through the global financial crash circa-2008, to the supposed “tech-lash” of today. In the here and now, the intersection between information technology, core business practices and regulatory compliance has probably never been more pronounced.
We think it is fair to say that “regulation is back” for IT and technology services, especially when viewed through two prisms.
Firstly – through direct intervention by national and international regulatory authorities.
In recent years, new legislation and regulation has directly imposed significant new and increased burdens and risks on businesses.
From a data protection and information security perspective, the GDPR and the Network & Information Systems Directive in Europe (and the California Consumer Privacy Act in the US) have radically altered the regulatory landscape and risk profile for the increasing number of organisations controlling and processing personal data and other important information.
In financial services, existing regulatory frameworks have been augmented by bodies such as the European Banking Authority (in its recent outsourcing guidelines) and the UK Prudential Regulatory Authority (in its recent consultation) which emphasise the risk of outsourcing core operations and working with third parties.
In the healthcare and life sciences sectors, we are seeing significant digital transformation, including: the enthusiastic deployment of AI to develop new medicines and diagnostics; increasing access (at lower cost) to genomic data; the explosive expansion of telemedicine and health-related apps and miraculous results achieved with cell therapies. Such technological and clinical changes drive convergence between genomics, medical devices, diagnostics and innovative therapies, leading to genuinely personalised medicine. These developments coincide with the most significant change in European medical devices sector in three decades: the replacement of the existing Directives with a new, more demanding, Medical Devices Regulation (our Regulatory team writes regularly about this topic on our life sciences microsite ‘On The Pulse’). The new Regulation effectively up-classifies virtually all Software Medical Device products. The profound nature of many of these changes will have long-lasting effects on the sector.
These trends are set against the backdrop of the “techlash” (as the reputation of “big tech” has taken a hit following recent data and tax scandals) and a fraught geopolitical landscape of closing borders, increasing tariffs and protectionism (which may be accelerated by COVID-19). Meanwhile, some regulators (e.g. the ICO) have gained sharper “teeth” and have expressed an increased appetite to use them, particularly against the most egregious breaches.
Collectively, the impact of regulation on businesses across sectors has been, and continues to be, significant. The increased compliance burden has required the evolution of tried-and-tested approaches, systems and processes; direct and indirect costs and risks have increased; and in some spaces a backlash has sprung up against perceived “red tape” (e.g. Brexit).
Secondly – through new ways in which technology and IT services are being developed, applied and used.
The relationship between technology and traditional business operations is changing. Whereas IT was once the preserve of “back-office” functions, it is now being directly applied to the daily development and provision of everyday products and services. This is bringing the creators and users of that technology within the remit of sector-specific regulation that they often have not accounted for, let alone implemented into the design and sales processes.
In the healthcare sector, new entrants, using software, data and systems to provide health services, can quickly find themselves (often inadvertently) subject to medical device regulation if their products and services are used in diagnosis or treatment. It is far better to address medical device regulatory requirements while products are in development rather than having to pull a product after launch, after realising that the product is actually an unauthorised medical device, and admitting that one has engaged in criminal conduct. While this is a relatively rare scenario, we are regularly asked to help developers “reverse engineer” regulatory compliance. Even if it is possible to “put the toothpaste back in the tube”, this is always much more time-consuming and expensive than addressing regulatory requirements during development. In some instances, we have seen commercial launch delayed by two years as a result of a regulatory blind spot.
In other sectors, organisations are changing by embracing technology in new ways.
If a bank wishes to transform itself, it implements new technology platforms into its core. The proximity and importance of the technology to the core banking operation puts the technology firmly within the scope of onerous financial services regulation. The supplier might find that its contract requires it to design its solution to comply with such regulation. Given the ‘one-to-many’ business models of many platform, cloud and SaaS providers, it is unclear whether they can so comply, or what cost and effort they would need to incur in order to comply.
In the public sector, new procurement frameworks have sprung up to leverage new technologies, including Dynamic Purchasing Systems such as Spark, which are designed to enable public authorities to purchase emerging technology products, including IoT, AI and automation, more quickly and easily than ever before. This is a welcome example of existing regulation being stretched to enable innovation and fits squarely with government’s desire to make use of cutting-edge private sector tools and technologies.
Meanwhile, in the life sciences sector, the major pharmaceutical companies now have digital arms focused on how they can make better use of technology and data. A key plank of their approach involves exploring opportunities to collaborate with suppliers to speed up their digital journey. Examples of partnerships with large IT and technology companies abound, whether to deploy AI in the drug discovery process, obtain more meaningful data on patients’ use of devices and medicines, or, at a more basic level, to make better use of established cloud services.
These trends have clear implications for IT and technology suppliers.
As the examples above bear out, new and changing technology use cases across industries have direct and indirect (and often unexpected) regulatory impacts. For example, we regularly advise technology providers that find that their provision of healthcare systems or services are regulated as a medical device, and advise suppliers tasked with gaining insights from corporate customer datasets finding themselves acting as data controllers or potentially in breach of GDPR.
A further risk for suppliers is the sector context. Getting regulatory compliance “wrong” not only results in the risk of regulatory fines. In sectors like healthcare and life sciences, it can also mean product liability or product recalls, while data or security issues can cause a drug or medical device to be considered unsafe or uncertified. This can clearly have huge financial and reputational impacts on customers, and consequently the underlying suppliers.
Corporate customers are becoming more attuned to the myriad touchpoints and interfaces between technology use cases and their core business operations. However, they often lack the experience or expertise to identify and assess the risks, creating an appetite to shift risk to those they perceive as better able to accept it: the supplier community. In turn, suppliers’ own awareness of the regulatory risk of their products and services, and how they are deployed by their customers, is increasing. We see clear opportunities for suppliers that are willing to understand their customers’ regulatory environments and have the ability to offer solutions that enable the uptake of services while protecting their own contractual risk positions.
For supplier-side lawyers advising on these issues, the “compliance with law” clause gains even more importance than usual. While the new reality may mean they need to have a working understanding of the regulatory issues that apply to the supplier’s services, this does not mean the supplier needs to accept more legal risk or operational burden; more knowledge and awareness can simply enable a better, more productive discussion with customers, and even help negotiate them away from onerous starting positions.
Lawyers armed with sector-specific awareness can also help guide internal business and solution teams on the design and deployment of new products and services. For example, up-front knowledge of how medical device law interfaces with “healthtech” systems can help avoid inadvertent, onerous regulatory impacts. Similarly, early and proper legal input on the branding and marketing of a new “regtech” SaaS product can ensure customers do not get the impression that it comes with a “compliance guarantee” (and can avoid difficult discussions about contractual regulatory responsibility).
The regulatory environment in the broader IT and technology sector is increasingly complex. It is affecting the various players in the ecosystem in different ways. However, those with the knowledge and awareness to guide their internal clients and corporate customers may find it easier to navigate this landscape than most.