A framework for assessing the legal risks associated with innovation.

Introduction. One of the challenges faced by innovating companies is how to assess the legal impact of a new innovative product or online service as early as possible, preferably when it is still in the conceptual design phase. In my definition the legal impact of a product or service is how the new product or service will be governed by existing and future legislation and consequently what the legal risk are going to be.

Unfortunately, legal assessments are generally only conducted in the last phase of the development phase when an adjustment or change of the product or service is costly. Even worse, history has seen various companies being confronted with unintended legal backlash upon market introduction.

Obviously, I am advocating a different approach here. When the product or service has not yet come out of the conceptual design phase, making a change that is made necessary by its (potential) legal impact is still possible at acceptable costs without any reputational damages. Even not going forward with the product would still be possible. If costs have been made for installing an assembly line or a mould has been manufactured, the financial impact of a required change is significantly higher. Also bear in mind that an adjustment in a later phase will impact business plans and revenue projections which would not be beneficial for the valuation of your company.

Therefore, in my view sensible innovators assess the legal impact of the product or service they are developing in the early stages of the development process, preferably in the design phase.  The challenge however is how to do an adequate legal assessment of a potential new product or service when it is still in its infancy. Wouter Seinen and I have tried to create a framework for such an assessment. This framework is displayed in the image below. The intent of the framework is to visualize those elements of a product or service that we feel would trigger current and future legislation. Our framework can be the basis for a more elaborate and structured legal risk assessment process which you can conduct during a development similar to a privacy risk assessment.

How does it work?

Functioning of the framework. Each new product or service generally has a Function. This Function can be separated in to how it works (Operation) and the purpose for which it is used (Application). To be able to work, the product or service may require Input. Input generally is data including personal data.

Depending on the Application the product or service will have an impact on natural persons and/or legal entities, the market or society in general. If the law finds that the nature or the reach of the impact creates unacceptable legal, economic or social consequences for one of these interest groups, it will try to regulate that impact. For example, laws that govern the processing of personal data are generally aimed at safeguarding data subjects against undue impact on their social and economic position because of the use of personal data by a controller. Food products are made subject to food and commodities law which aims to safeguard the health and wellbeing of the consumer. Those laws for example would target the relationship between a soft drink and Obesitas with children (presuming there is one).

One of the means to take away or diminish an unacceptable impact can be that the law imposes on the manufacturer or service provider obligations that Control the functioning of the product or service or require the manufacturer or service provider to Adjust it. The latter can be harmful for the manufacturer or service provider if he then needs to go back to the design table to redesign the product or service.

Example: a smart thermostat uses energy data that is generated by the consumption of energy in the home of a consumer. The application of the thermostat is to regulate the temperature in the home of the consumer in an efficient manner to enable the consumer to pay as little for energy costs as possible. Given the use of data (input), the application and impact, it is reasonable to expect the application of data privacy laws. These laws require the application of privacy by design principles to the thermostat. If the output of the thermostat will also have consequences for the energy bill, regulation governing the performance of utilities will almost certainly also apply.

It may be that the current law does not address a specific impact of a product or service. If that is the case, the introduction of the product or service may trigger new legislation. This is the GAP that is identified in the framework.

Example: to address potential legal consequences of the use of algorithms the law is currently amended to include oversight on the functioning of algorithms.

Obviously to be able to apply the framework the extent of the impact of the product or service needs to be validated and weighed. Such validation will need to consider that a product or service that is beneficial to a consumer may be detrimental to other relevant parties as was the case with Uber. Consumers are generally happy with the service provided by Uber. Taxi drivers however lack any negotiating power with Uber and are prey to its algorithms.  The question is then will the impact of Uber trigger legislation that prohibits providing part or the whole of the service.

I am keen to get your feedback on the thoughts expressed in this blogpost. Grasp would be happy to support you in setting up a legal impact assessment process to help you get more lasting value out of the innovation process in your company.