We all dread going to talk to legal.Â They speak a different language and you never know what they are going to object to, but odds are good you will have more work to do after you leave the meeting.Â Sooner or later the day comes when you need to discuss your API initiative with your company legal department and being prepared can help drive a more productive and successful encounter.
First, let me clearly state that I am NOT a lawyer.Â I have no formal legal training and am not going to make legal recommendations.Â This blog is about how to prepare yourself for the discussion with legal, and yes, I have been working to get items approved by legal for over 25 years.
As with any audience, the best practice is to understand their perspective and determine the information they need from you while at the same time guiding the conversation to meet your needs.
Some lawyers may be more progressive and open to innovative approaches and others more conservative and resistant to change.Â Some may have an ability to understand technology, and others â€“ not so much.Â They all have a common motivation to protect the company from lawsuits and to protect business assets.Â Opening access to business assets through APIs might be a potential exposure, so there may be some trepidation from lawyers regarding this topic.
Introducing a new channel to market is an area where lawyers get antsy.Â My first experience with this was in the 90s with the world wide web.Â Early on companies were building static web sites, trying to direct potential customers to come to their store or call.Â Some companies saw the opportunity for a new channel using web transactions, others moved slower and some paid a significant price for being late.Â I am not blaming this on corporate lawyers, channel conflict was an issue then and remains one for APIs as well.Â However, the concerns over exposing assets and potential security and privacy concerns (e.g. regarding payments) were legal issues that needed to be solved.
A few lessons to bring forward from this:
- Recognize the new channel opportunity early
- The question is not â€śif we are going to implementâ€ť this new channel, but â€śwhat needs to be doneâ€ť to make this new channel work
Going into the legal meeting with a partnering attitude can be very helpful.
Not everything you do with APIs needs legal involvement.Â Many early projects may deal with existing scenarios that are just being enabled in a simpler more rapid manner.Â But, as use cases become â€śchannelâ€ť oriented, or deal with private or sensitive information, then legal involvement may be required.Â Topics such as GDPR and PSD2 in Europe that deal with sensitive personal information or valuable financial information most likely need legal involvement.Â And this is not just limited to Europe, similar regulations are happening in many countries.
Here are a few scenarios to consider:
- Internal Consumers â€“ for projects such as your businessâ€™ mobile App, accessing social media, sharing data or analytics inside the company, you probably do not need legal approval. In these cases, you are not using the API as a channel, just simplifying an internal project.Â However, mobile itself may have had legal involvement or sharing data may be a concern for sensitive information, but the API use is not the issue.
- Partner consumers â€“ for partners accessing your systems through APIs, legal involvement may be required. Ensuring control of private or sensitive data and the use of this data may be concerns.Â Also, partner on-boarding which is a great API use case should be discussed to ensure that partners given access to the APIs are authorized appropriately.
- Public consumers â€“ is perhaps the area that will raise the most concern with legal. In most cases public APIs are accessing the same information that an unauthenticated user can access on the web site, so this should not be an issue.Â But the idea of public APIs may raise some unwarranted concern.Â Explain the type of information and provide assurances that no personal or private information is made available to the general public.
Many of the questions that will be asked will be based upon the audience for the API and the data or transactions you are making available.Â This is a sample set of questions you might expect a lawyer to ask:
- Do you own the rights to the data you are providing?
- Are all intended audiences entitled to access this data?
- What rights are you granting the consumer of the API to use the data provided?
- How are you ensuring privacy?
- Customer privacy â€“ ensuring the customer can only access their own information
- Organization privacy â€“ ensuring the consuming organization only has visibility to their own customer information and not information belonging to other organizations.
- What is the required policy for data retention?
- What requirements do you have for attribution of the content or use of your brand? Do you need to give attribution to some other entity?
- How will you find out and deal with consumers who do not use the API appropriately?
- What are your liabilities?
Being prepared to answer these questions can go a long way to ensure a successful outcome.
These questions are not the normal discussions we have daily about our API initiative.Â Therefore, we are less comfortable in having this â€ślegalâ€ť discussion.Â Â Preparing for this can go a long way to having a successful outcome.Â Remember, it is not a discussion about whether to use APIs as a channel, keep the discussion about what needs to be done to make this happen.
To understand more about IBMâ€™s thoughts on the API Economy visit the IBM API Economy website.Â IBM API Connect is IBMâ€™s complete foundation to Create, Run, Manage, and Secure APIs.Â You can find more information about IBM API Connect at the API Connect website.Â And you can also experience a trial version of API Connect.
If you have questions, please let me know.Â Connect with me through comments here or via twitter @Arglick to continue the discussion.