GDPR is on the way, but there's no need to panic

Aug 11, 2017
Colm McDonnell, Partner and Head of Risk Advisory at Deloitte Ireland, shares his thoughts on the new General Data Protection Regulation (GDPR) and Network and Information Security Directive.

GDPR has been described as a “game-changer” by Ireland’s Data Protection Commissioner. Why is it so important, in your view?

With the introduction of GDPR next May, existing data protection laws will experience substantial changes in terms of scope and effect. The existing legislation, based on EU Directive 95/46/EC, was transposed by individual member states in local ways, which led to an ad hoc approach being taken across the European Union (EU). The new legislation means that the application of the legislation will be consistent across all member states and should make it easier for companies to conduct business EU-wide with a level of certainty as to their obligations. In addition, companies must be aware of how and why they use personal data as GDPR increases the right of individuals in relation to the privacy of information and how their information is processed by companies.

With the implementation date of 25 May 2018 fast approaching, is Ireland prepared for this new legal framework?

GDPR has been on the radar for a number of years and in that time, the Government and Data Protection Commissioner have engaged with stakeholders to ensure that Ireland meets the challenge of GDPR head-on. As Ireland is a knowledge-based economy, it’s imperative that the country is ready for 25 May 2018. Deloitte has been working with clients to ensure that they are fully aware of their obligations under the new framework and crucially, that they also have a strategy and process in place to manage the implementation of changes such as the introduction of Data Protection Officers.

In the broader cyber environment, what will the Network and Information Security Directive (NIS Directive) do for cyber resilience in Europe?

The NIS Directive is forecast for transposition by the Irish Government by May 2018. At this date, companies in industry sectors that are defined as belonging to a sector of national critical infrastructure will be defined. These organisations will be known as providers of operators of essential services (OES) and most of these organisations will already be in heavily regulated industry sectors such as telecoms, energy and transport for example. Such organisations will be subject to the oversight and reporting regime imposed by the NIS Directive.
The NIS Directive is focusing on new requirements for network and information security for operators of essential services and digital service providers (DSPs) to provide for network security and business continuity in critical sectors. Essentially, the NIS Directive is ensuring a consistent EU-wide approach to business continuity in critical national infrastructure. As such, cyber resilience across all member states will be strengthened with this new Directive.

What roles can finance professionals, such as Chartered Accountants, play in such projects? And should they lead the charge?

The implementation of such projects involves knowledge of EU legislation, an understanding of requirements per organisation, seamless integration into daily business operations as well as realising the new opportunities that GDPR and the NIS Directive will bring to business in Ireland. Professional staff, such as Chartered Accountants, are uniquely positioned – as a result of their industry knowledge, professional experience and client focus – to help steer organisations through times of change. As such, a Chartered Accountant is ideally placed to lead the implementation of GDPR and NIS Directive projects for their organisations.

If GDPR is still on a firm’s to-do list at this stage, what advice would you give them?

Given the time-frame for implementation, I would advise that such firms not panic. Rather than approaching this as a stand-alone project, I would suggest engaging the services of service providers who have the knowledge, expertise and skills to help such a firm meet the challenges of GDPR on time and to meet its regulatory obligations.
Colm McDonnell is a Partner and Head of Risk Advisory at Deloitte Ireland.