The five-minute CIO: David Cullen, William Fry

3 Feb 2017

David Cullen, head of the technology group at legal firm William Fry. Image: William Fry

“Businesses have only scratched the surface on the potential uses of big data,” said David Cullen, head of William Fry’s technology group.

David Cullen is a partner at William Fry and head of its technology group, specialising in complex technology matters and the strategic protection and development of intellectual property, particularly for online and digital markets.

Listed in the Best Lawyers in Ireland 2016 under information technology law, Cullen’s representative work includes advising multinational clients on the development, implementation and operation of several national IT infrastructure projects.

Future Human

He is also conversant in all aspects of data protection and privacy, dealing with large-scale data, security breaches and cybersecurity.

In particular, he focuses on corporate data protection or privacy-related projects, advising on various matters that involve the Office of the Data Protection Commissioner, audits, PIAs, and preparation for GDPR. He also advises on group implementation of policies and review of existing policies and procedures, as well as negotiation of complex commercial contracts, including outsourcing and naming rights agreements.

What is William Fry’s strategy for its technology infrastructure over the next five years?

Our technology strategy is driven by the firm’s commitment to improve client experience, move clearly beyond our competitors and provide new and enhanced services that add real value for our clients.

We provide webinars, podcasts and online services, such as our dedicated PrivacySource site, which engages directly and meaningfully with our clients on all aspects of data privacy. Our updates are driven by what our clients find most interesting and useful, so it ensures we focus our resources on what is really relevant to them.

We constantly roll out refreshes, upgrades and new applications, which can be firm-wide or for specific practice areas. We are investing in technology to ensure greater mobility to be able to assist our clients from anywhere at any time; sharing documents with them in easy and secure ways, using new intelligent products to allow us to provide innovative services as well as more sophisticated BI tools, to provide better reporting and assist us in securing these objectives.

What trends are you seeing in the tech space?

Big data, cybersecurity and IoT continue to grab the headlines.

Cybersecurity continues to increase in importance for all businesses. The Central Bank has made it clear that it expects compliance with high standards in the financial services sector, issuing specific guidance on IT risk management and cybersecurity. High-profile data security breaches by sophisticated international criminals, targeting companies such as Yahoo and LinkedIn, have been well documented.

On a domestic level, a recent survey of 200 professionals by the Irish Computer Society states that 61pc of organisations have had at least one data breach in the last year, which is an increase on the previous year. It reflects what we are seeing in practice. Given this, it follows that cybersecurity will remain high on the agenda for organisations, nationally and internationally.

We recently produced a report, Europe for Big Data, in association with Forbes Insights, which is based on a survey of 200 C-suite executives from around the world. A number of interesting data-related trends became apparent. Even among non-technology organisations across multiple sectors, 73pc are making extensive use of technology. In short, all companies are becoming technology companies, and finding themselves increasingly driven by data.

The regulation of data is a key factor, driving businesses to locate data control hubs for each region, within that same region, typically the Americas, EMEA and Asia-Pacific regions. While tax used to dominate thinking, and of course is still relevant, our report found data-related factors now rank as two of the top five location drivers.

IoT, while still in its infancy in terms of revenue generation and deployments, will see another year of growth. There is growing sense out there that 2017 is the year that the monetisation of IoT systems, in both software and hardware, needs to be realised, or market frustration may take hold.

What, if any, are the drivers growing the technology sector in Ireland?

There are many factors that play a role in the growth of the technology sector in Ireland, as well as across Europe as a whole: stable government, access to the EU market, availability of expertise, ease of doing business, competitive corporate tax rates, proximity to customers and universities, access to local partners, time zones, and language and culture.

Our big data report found that international organisations are demanding clear and harmonised privacy and data security regulations. There is also an undeniable ‘cluster effect’ for Ireland in having so many big data companies operating in close proximity. With so much great talent in this country, this will undoubtedly encourage a greater degree of innovation, driving continuing growth.

How does Ireland compare to other EU jurisdictions in terms of attractiveness to technology firms?

We are fast becoming a world leader in big data, internet of things, machine learning, cognitive computing, AI, fintech and cloud computing. If we look solely at data-driven investment, our report found that Ireland’s position is especially remarkable in spite of its significantly smaller economy and population ranking – just behind the UK but ahead of Germany. For a small nation, we punch well above our weight in attracting foreign investment. Perhaps even more noteworthy is Ireland’s high rating in terms of the merits of its data-related regulatory climate overall and its privacy regime.

Why is this so?

Locating in Ireland becomes even more compelling when considering the traditional factors alongside its privacy and data security regime, proximity to data regulators and access to the EU market. Ireland has a competitive corporate tax rate of 12.5pc. In addition, the country also offers a Knowledge Development Box with a tax rate of 6.25pc for companies. All of these factors taken together drive Ireland’s appeal as a European or EMEA headquarters.

How are these trends affecting the type of instructions being received by your firm?

We have seen a huge growth in engagements to advise on all aspects, but in particular on the data privacy and contractual aspects of large-scale big data projects. These projects have been increasing in tandem with the increased growth in social media, electronic communications and cloud-based services, as well as some industry sectors such as financial services, insurance and e-health.

IoT regulation is currently in its infancy and, as such, any instructions relating to IoT devices have been understandably early-stage in nature to date. However, with the upcoming introduction of European legislation that applies to IoT devices, we anticipate that we will start receiving a growing number of IoT instructions in the next 12 months.

The media attention afforded to data security breaches, together with the unprecedented scale and increasing sophistication of some of those breaches, have convinced many businesses of the need to up their game. Many are working hard to put in place programmes to deal with regulatory requirements, which also serve as valuable preservation and protection measures. We are assisting them in reviewing their key operations; strengthening internal measures, such as training and policies, and external measures, such as contractual provisions with service providers, to ensure greater protection.

Have you seen an increase in the immersion/adoption of technology and data in the day-to-day business of those organisations that are not traditionally viewed as technology companies?

Absolutely, we see it every day in our work. In the survey mentioned above, this view was confirmed by our respondents. 73pc of executives from organisations that are not traditionally regarded as technology companies say that their companies make extensive (and increasing) use of technology to exploit data opportunities.

The figure increases to 85pc in financial services and to 82pc among executives from China and India. From enterprise resource-planning systems, mobile and e-commerce capabilities or digital marketing, to systems driven by artificial intelligence (AI), cognitive computing and machine learning, businesses cannot expect to be, or to remain, competitive without investment in technology that enables data analytics.

Are there any key legislative changes, such as the GDPR, on the horizon which will impact largely on the sector?

There are two hugely significant legal frameworks that will have a determining impact on how international business is conducted over the next decade or more: GDPR and the EU-US Privacy Shield.

The GDPR, which comes into effect on 25 May 2018, seeks to accomplish two core objectives.

First, to strengthen data protection rights for individuals. International organisations, regardless of where they are based, are likely to find themselves subject to the GDPR, which they cannot afford to ignore, as it holds businesses accountable for failure to protect privacy in various ways, not least by providing for fines of up to 4pc of global turnover.

The second objective seeks to harmonise data protection regulations across the EU, which will include a ‘lead authority mechanism’ approach to data protection compliance for the entire EU region. Helen Dixon, the Irish Data Protection Commissioner, and her colleagues have worked tirelessly to earn an excellent reputation internationally for Ireland, balancing protection of rights with effective regulation that well-advised businesses have no reason to fear.

The EU-US Privacy Shield is a measure adopted by the EU that took effect from 1 August 2016, arising from the invalidation by the EU’s court of justice of a prior EU–US framework legitimising data transfer to US-certified companies.

It clarifies the circumstances, strict though they may be, under which European data may be transferred to the United States. Its success will depend on its implementation, which will be very closely scrutinised, with an initial review taking place later this year.

There is also a network information and security directive on the horizon. It is designed to ensure more trust in technology and online services. It also has particular requirements for operators of ‘essential services’ (such as energy, transport, banking and health) to ensure that they adopt appropriate risk management practices and notify serious incidents to national authorities. It will also have an impact for providers of certain digital services, such as search engines and cloud computing.

In the wake of the Brexit decision, what do you predict for the sector in both Ireland and the EU?

While it is a time of uncertainty, one of the strengths for Ireland over many years has been the enormous benefit for businesses located here to have free access to the entire EU market. An important part of this for technology companies is the Digital Single Market. The regulations that underpin this have simplified the procedures for e-commerce across the member states.

Brexit’s impact on this will largely depend on the terms of their negotiated exit from the EU. Some businesses will be tempted to locate new business in Ireland and some are seeking advice on relocating here, all to ensure certainty of long-term access to that Single Market.

A serious issue for British-based businesses, in light of Brexit, will be the GDPR. This is an opportunity for the technology sector within Ireland and the EU. The GDPR’s ‘main establishment’ rule will see some businesses choosing to establish their businesses within Ireland. We are already seeing the early stages of this activity.

Where do you see the opportunities lying in the technology sector into the future?

While we are seeing clients explore new and interesting uses of big data, we believe that businesses have only scratched the surface of the various opportunities available. We expect to see a lot of growth in these activities in the coming year.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years