The Invisible Trapdoors in Your IT Outsourcing Contract (and the Eye-Watering Cost of Falling Through Them)
We have all witnessed, or perhaps quietly participated in, the grand, theatrical romance of the corporate procurement cycle.
A business decides to outsource its core IT functions. The courtship is magnificent. Glossy slide decks are paraded, promises are whispered, and eventually, an monumentally thick contract is wheeled into the room on a flatbed trolley. It boasts SLAs, intricate governance structures, a TUPE schedule, and enough legalese to paper over the Grand Canyon. The corporate lawyers nod with solemn, self-satisfied approval, pens are flourished, and the deal is sealed.
Then, inevitably, eighteen months later, the honeymoon ends. The supplier’s performance plummets into the abyss, the servers are down, operations are paralyzed, and the client desperately flings open the contract looking for an exit strategy.
And what do they find? Absolutely nothing worth having.
It is an astonishingly common tragedy, playing out with devastating regularity across everything from modest £200,000 managed services arrangements to staggering, eight-figure digital transformation programs. The termination clause demands an absurd 12 months’ notice just for convenience. The supplier’s liability for cataclysmic failure is capped at a pathetic three months’ fees. There is no mechanism to get your own data back in a format that isn't completely scrambled, and the uncollectable SLA credits feel like being offered a coupon for a free coffee after someone has accidentally burned down your house.
To prevent you from signing your own corporate death warrant, here is an investigative look at the critical provisions most commonly absent from IT outsourcing contracts—and precisely what their omission will cost you.
1. Step-In Rights That Are Actually Usable
In theory, a "step-in right" is a magnificent, comforting concept. It purports to give you the unilateral power to march into the metaphorical engine room, seize the controls from a failing supplier, or appoint a competent third party to steer the ship until the crisis abates.
In practice, however, most step-in rights are drafted so poorly that they are entirely decorative.
The flaw is structural. The triggers required to invoke step-in are tightly restricted—usually shackled to a proven "material breach". Think about what this actually means. To step in, the client must first accumulate mountains of undeniable evidence, formally declare a breach, and endure a lengthy, bureaucratic dispute resolution process. By the time your lawyers have finished exchanging sternly worded letters to clear that legal hurdle, the operational crisis has already eviscerated your business.
The Fix: Well-drafted step-in rights require no-fault triggers. These are clear, objective operational emergencies where the supplier simply cannot or will not perform, irrespective of whether a formal legal breach has occurred. You need the power to intervene when the smoke appears, not after the building has burned to ashes.
2. The Unseen 2026 Hazard: The Shadow AI Schedule
Consider this highly specific horror story that is quietly unfolding across the corporate landscape today.
Six months into an outsourcing arrangement, a supplier quietly decides to supercharge their efficiency by routing your proprietary customer data through a third-party generative AI model. They didn't mention it because it wasn't explicitly forbidden. Because no one thought to include an AI-specific schedule, there was absolutely nothing in the contract forcing them to disclose it.
Suddenly, your sensitive IP, your customers' financial data, or your proprietary code has been absorbed into a public LLM. In an era where global data protection regimes levy fines reaching into tens of millions for algorithmic non-compliance, a liability cap that fails to account for shadow AI usage is a ticking financial time bomb. If your contract doesn't explicitly dictate where, how, and if AI can touch your data, you aren't just outsourcing your IT—you are gambling with your entire corporate reputation.
3. The Data Handback: Escaping the Data Hostage Crisis
When an outsourcing relationship dies, you need to leave. But you cannot leave without your data.
Many standard contracts state that the supplier will "return client data upon termination." It sounds perfectly reasonable. But what they don't tell you is that they intend to hand it back to you as a monolithic, unstructured data dump—perhaps a mountain of unindexed JSON files or a proprietary format that no other system on Earth can read.
Without explicit clauses mandating that data must be returned in a usable, industry-standard, and structured format, you are effectively being held hostage. The supplier can charge exorbitant "extraction fees" to give you your own information back in a readable state, turning your exit into an expensive extraction mission.
Summary Checklist: Before You Sign
Before you allow an 11:00 PM deal-making fatigue to cloud your judgment, check the contract for these essential elements:
No-Fault Step-In Triggers: Ensure you can intervene based on operational reality, not just after a protracted legal battle.
AI Transparency Clauses: Explicitly require the disclosure and approval of any AI tools used to process your data.
Structured Data Return: Mandate the exact format, timeline, and cost (ideally zero) for returning your operational data upon exit.
The Final Verdict
When reviewing an IT outsourcing contract, do not ask your legal team if the document is "standard." Standard is precisely how businesses find themselves trapped in expensive, non-performing relationships. Ask them instead: "If this supplier completely vanishes tomorrow, do we have the clear operational and legal path to keep our business alive?"
If the answer is a hesitant pause, do not sign it. Have it rewritten.
Book a free discovery call with RMOK Legal
This article is general guidance only and does not constitute legal advice. The law on liability caps involves fact-specific analysis and you should seek advice on your specific position. RMOK Legal is authorised and regulated by the Solicitors Regulation Authority.