Hyperscalers such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud and Alibaba offer a compelling package for scalable data hosting. But migrating your business’s data to a hyperscaler is more than a mere technical exercise, since binding contractual obligations and data protection requirements provide legal constraints that must be dealt with.
Your Chief Technology Officer (CTO) may see data migration as a mainly technical exercise. They may start with people: creating a project team comprising Operations, IT/Security, Compliance, Finance, Tax etc., assigning a dedicated project manager to help keep track of milestones and dependencies, and coordinate the project. The project team will then create a plan, listing all the processes and dependencies, and then look for the appropriate collaboration, workflow and reporting technology to facilitate the project. All of these are valid, and necessary, but if the team does not involve the legal department from the start, they may face unexpected roadblocks along the way, resulting in unnecessary delays.
There are several considerations when the legal team starts planning the project. One of the first questions they will have is about how the data migration to a hyperscaler relates to the company’s legal and contractual obligations with their business partners, such as customers or suppliers. In other words: Can you just “go for it” or will a smooth and legally safe migration depend on you informing – or even obtaining prior consent from – the business partners? Two key considerations are contractual obligations and data protection.
Contractual obligations: Consider first if the contracts with business partners contain clauses relevant to the migration. These might include:
Data protection issues: Data issues often reach far beyond contractual agreements. In the EU, the General Data Protection Regulation (GDPR) is key to consider, and although GDPR provides for several legal bases which can make the transfer of the data to a hyperscaler legitimate in many cases (e.g., obtaining consent), this will require at least some relevant effort on your side. Therefore, conduct a data processing agreement (DPA) to legalise the transfer of your data within the EU. More challenges arise when hyperscalers are located outside of the EU/EEA. Even if the data transfer meets the general requirements, you must ensure that transfer to that third country outside of the EU/EEA is permitted, such as by using Standard Contractual Clauses (SCCs) adapted by the European Commission, which offers significant individual customisation options to cover the different data transfer scenarios.
Other issues: Depending on your industry sector, you may face further legal requirements such as certain minimum requirements established by European supervisory authorities the banking and insurance industry, or further restrictions on health data in the health care sector. Identifying those requirements earlier on is key.
Migration will typically require the review, and potential amendment, of contracts with business partners. Depending on your business model, the number of contracts to be reviewed can be substantial. The categories of People – Process – Technology will help structure your thinking:
People: Help the CTO and project team understand the importance of the legal considerations, and add a legal professional to the team – retain external support if necessary
Process: Define and track adequate processes and workflows. Using ‘agile’ principles such as sprints, dailies and retrospectives, can be of great help.
Technology: A pre-existing contract lifecycle management (CLM) system can be a good data source and, depending on the system’s capabilities, can even be the platform to manage the project from. Systems that allow for transparency into the individual contract clauses may help filter out the problematic cases quickly. Specialised e-discovery and data extraction tools can also help automatically identify and extract problematic contracts or clauses. Most inhouse legal departments do not have access to these AI-powered tools so if you are planning to retain external support, make sure to assess your advisor’s technology capabilities before deciding who to work with.
For a comprehensive analysis of data migration to hyperscalers, read the full article.
Author: Klaus Gresbrand