In our previous article in our Digital Transformation series "Board Room Considerations for Deploying Digital Transformation Strategies", we noted that, for C-suite executives, data-related regulatory issues were the top drivers for decisions on locating technology and data investments. In this article we shine a spotlight on this aspect and dive deeper into why it is considered the top driver.

There are many reasons why Ireland is regarded as the European location of choice for many technology companies. In our "Global Trends in Technology & Data" report, 14% of participant organisations put data-related regulatory issues as their number one consideration when choosing a European location. In contrast, just 5% of participants identified the tax rate as their top consideration. The General Data Protection Regulation (GDPR) has had a positive impact on EU-based investments, with 85% of respondents in our "Global Trends in Technology & Data" report (up from 81% in previous research) noting that concern over the GDPR and related privacy issues was a key driver for having discrete data operations in the EU.

As you can see from the graphic below there is widespread agreement about privacy regulations and information security in the EU.

1244762a.jpg

GDPR not a barrier to investment and transformation

While it is evident in the years since GDPR came into force, that it has posed challenges for companies and necessitated significant investment in change, the findings of our "Global Trends in Technology & Data" report revealed a broadly positive attitude towards the GDPR. In fact, 91% of C-suite executive decision makers agree that appropriate controls on managing privacy and information security for their customers can provide their businesses with a competitive advantage in the present climate. On the other hand, there is concern in relation to divergence in the implementation of GDPR in member states with 89% of respondents agreeing that greater EU-wide coordination is essential. This was up from 61% in our previous research, which was conducted two years before the GDPR became law across the EU on 25 May 2018.

Ireland punching above its weight with gold standard data privacy regulatory regime

Our "Global Trends in Technology & Data" report, highlighted that Ireland's data privacy regulatory regime was held in a very high regard internationally, with 89% of respondents rating its data-related regulatory climate as good to excellent. Also of note is the fact that 46% regard the regime as excellent.

1244762b.jpg

EU harmonisation of data protection laws may be key to increasing investment

The GDPR, despite vastly increased fines and a more onerous compliance regime than applied prior to its implementation in May 2018, was broadly welcomed by international companies. Indeed, 76% of respondents in our earlier research agreed that tighter regulatory controls over data represented the best way forward. Many international organisations perceived the EU as suffering from a lack of harmonisation, leaving organisations to pursue a complex, expensive and uncertain jurisdiction-by-jurisdiction approach. There was therefore a reasonable expectation that harmonisation would deliver cost and efficiency benefits.

The GDPR has had a significant impact on investment plans since its introduction. 73% of respondents in our "Europe for Big Data" report said they had significantly increased spending on dealing with privacy and/or information security matters, while 40% said their willingness to invest in new EU data operations has significantly reduced as a result.

In 2022, there have been efforts by the EU to further harmonise data protection and related digital laws. We will highlight these later in the series as part of the EU Digital Decade, but one example of this is in relation to the Network and Information Security ("NIS") directive. The NIS directive, which sought to achieve a high common level of cybersecurity across the EU, is being expanded currently to respond to the growing threats posed with digitalisation and the rapid increase in cyber-attacks.

Significantly firms appeared concerned and even confused about some aspects of the implementation of the GDPR data regime in Europe. For example, 89% of firms agreed that the interpretation and enforcement of privacy regulations in the EU varies significantly between member states. This suggests that a demand for much greater EU-wide coordination is essential. This is up from 61% in our previous research. This is evident in the increased use of the dispute resolution procedure contained in Article 65 of the GDPR. The procedure allows other Supervisory Authorities to raise 'relevant and reasoned' objections in response to a draft decision issued by a Lead Supervisory Authority. This is then referred to the European Data Protection Board (EDPB) for determination. The increased use of this procedure (the Twitter and Whatsapp decisions both went through this procedure) suggests different views among regulators and accordingly suggests that there is a greater need for more harmonisation.

Notwithstanding this concern, our "Global Trends in Technology & Data" report found that 85% agreed that concern over privacy and related issues is a key driver for having discrete data operations in the EU. This is an increase from 81% in earlier research.

A natural consequence of disparities across a supposedly harmonised single market is the prospect of regulatory forum shopping with the selection of the country of regulation becoming of critical importance in investment decisions. Fortunately for Ireland, the Irish Regulator enjoys an excellent reputation being renowned as 'firm but fair' by international organisations. In 2022, the Irish Regulator has become even more active in investigating and prosecuting breaches of data protection law by multi-nationals in the technology sector. In any event, Ireland has a long and proven record as a leading jurisdiction in the EU and globally in which to establish and grow technology and data investments.

1244762c.jpg

Contributors: Leo Moore and Róisín Culligan

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.