One of the more common rebuffs a privacy professional will get when raising data privacy concerns in a commercial deal is either: “no-one else has ever raised this as a material concern,” which is often followed with a request to be “commercial” because “no-one walks away from a deal because of data privacy.”  

This is especially the case when raising cloud-based solutions. 

It’s an issue we, at Eversheds, identified and wanted to learn more about. We took a deep dive into cloud deals and have come up with some benchmarking and statistical support. The report demonstrates that deals are in fact failing because of data privacy concerns, with both customers and suppliers choosing to walk away because of data-related concerns. Indeed amongst other notable statistics the top three reasons were data privacy and security related. 

Not the traditional technology contract impasse points.  

Meanwhile, the commercial appetite for cloud surges and the regulatory position gets ever more complex. So this report provides some hard evidence to help customers and providers understand the importance these issues now carry and hopefully act accordingly to achieve successful conclusions. 

Developing alongside heightening awareness and growth in stricter data privacy laws, cloud solutions are increasingly in the crucible of data privacy concerns. Whether acting for customer or supplier there can come a point when sticking your ground and pressing your case for changes to be made will bring the real-world or commercial impacts into question. We work on a lot of cloud deals for customers and suppliers so we wanted to provide some helpful insights for both into what was really happening in the sector. We were seeing first hand some of the changes in the market but wanted to test that more broadly. So Eversheds worked with The Lawyer’s research services team to carry out a global survey of 350 cloud customers, providers and advisors on cloud deals and examined emerging trends in cloud computing adoption, contract negotiation and mergers and acquisitions.  

The resultant report provides meaningful insights for those involved in buying and selling cloud solutions and the privacy professionals who advise them in the pursuit of those goals.In particular for privacy professionals in the changes in the uptake of cloud solutions, across differing services and sectors, and regions and the barriers that are being experienced from both the supplier and customer perspectives. Especially when it comes to data related issues. The survey wasn’t specifically focused on data privacy but the results reinforce the importance of this topic to the emerging cloud market.

Some of the headline results include:

  • The appetite for cloud continues to grow. Almost 80 percent surveyed expect to increase cloud spending during the next 18 months. Only one percent forecast a decrease. The survey was conducted between December 2015 and January 2016, so the issues caused by the demise of Safe Harbor don’t seem to be quelling the customer demand.
  • There remains greater hesitancy to adopt public cloud. Some 28 percent said they will never adopt public cloud, while only seven percent stated they would adopt public cloud for any/all types of data or services. The reluctance to invest in public cloud is primarily driven by concerns relating to security and personal data.  Private cloud is generally preferred. Only fourper cent of surveyed purchasers will never adopt private cloud and 40 percent are willing to adopt private cloud for any function. 
  • The degree of reticence to adopt public cloud varies by location. Some 42 percent of surveyed North American cloud providers stated their clients typically prefer public cloud. In contrast, only 23 percent of European cloud vendors said their customers prefer public cloud. Of course, the solution choice varies widely based on what is being procured and where the data is stored and processed. With the U.S. and Europe leading the way on cloud deals overall, Asia and the Middle East, are currently more cautious about adoption but nonetheless seeing growth.
  • Despite the huge growth in cloud adoption a high number of deals fall apart during final negotiations. Some 27 percent of surveyed cloud purchasers have walked away from at least one deal once it got to the contract negotiation stage. A further 10 percent have nearly walked away from a deal at this stage. The impact of data concerns under various topic headings is significant in those decisions.
  • Our data indicates data residency is the most important factor that causes cloud procurement deals to break down during negotiations. There are two primary issues. First is that the cloud customer is in the dark about where the data is located, despite requesting this information. More than 30 percent of survey respondents have walked away from a cloud deal because they don’t know where their data will be hosted. Of course, many vendors are able to provide this clarity easily. What is perhaps of greater concern is the same proportion have walked away from a deal because they are not comfortable with where the data resides or is processed once they know.   
  • Some 17 percent of surveyed purchasers that walked away from a deal at the negotiating stage did so due to concerns that company data may have to be given to government bodies due to local country legislation to which the cloud provider is subject.
  • Concerns over inadequate breach reporting are the joint second-most common reason why cloud computing deals break down during negotiations. Approximately 28 percent of surveyed purchasers of cloud solutions said they have walked away from at least one cloud deal because of this issue. Significantly, this will only increase to address the growth in mandatory breach reporting requirements in EU and other countries.
  • The same proportion (28 percent) have walked away from a cloud because of insufficient visibility on whether elements of the service are subcontracted to third parties and who these third parties might be.

Not surprisingly the technology, media and telecoms sector appear to exhibit the greatest demand for cloud services. The report demonstrates increasing interest levels from reticent adopters, in particular, the financial-services sector as well as some other sectoral differences between regions. Addressing data and other regulatory concerns will be key to unlocking that potential market.

Overall, a surprisingly large number of cloud deals are breaking down at the contract negotiation stage. Data concerns play a significant part in these decisions to walk away. It is not just SLAs, pricing or liability clauses that carry importance anymore. This is not a position either customer or supplier wants to be in, especially if these issues are only coming to light at the contracting stage. That’s simply a recipe for wasted costs and resources as well as frustration. This surely has to reinforce the need for these topics to be considered earlier in the purchasing/selling process. 

Suppliers who have spent time carefully thinking through customers’ concerns and regulatory requirements, and who have acted to address them, factoring this into their risk assessments, sales, and standard contractual documentation, are able to execute contracts quickest and reduce the number of deals that break down. This is fast becoming a competitive advantage. The proactive steps being taken by some of the larger suppliers in this area is both welcome and another sign of strong business rationale.

Similarly for potential customers, the report supports getting early engagement on consideration of the data privacy impacts internally and then having upfront conversations with potential suppliers. It provides useful benchmarks on issues such as specific security requirements and liability, which can often lead to impasse at contracting stages. This breakdown has as much to do with unrealistic customer expectations as to the contractual protections available for the solution they are sourcing as it can be to a disconnect between sales dialogue and what the contract terms actually say. It’s also fair to say that all too often those procuring the solution aren’t consulting those with responsibility for data privacy/contractual terms until quite late in the process.

While there are some complex regulatory and contractual issues to work through from both parties’ perspectives, and never more so than at the time of writing, more engagement around these issues at the outset could potentially significantly reduce the number of deals that break down and save time and money. Such impacts are real, so it will have served its purpose if it helps both sides to engage in constructive dialogue earlier – whether that is with each other or indeed internally.

photo credit: The cloud via photopin (license)