A solicitor's practice in Sligo promoted its office manager to the role of Data Protection Officer in January. The email from the managing partner was friendly and brief. It said something like: "You'll be our DPO from now on — have a look at what GDPR requires and let me know if you need anything." Three weeks later, the new DPO was still staring at a browser tab open on the Data Protection Commission website, unsure where to begin, half-convinced that one wrong step would trigger a regulatory investigation.
If you have just been handed responsibility for GDPR, NIS2, or both, this guide is for you. The good news is that you can make meaningful, demonstrable progress in 90 days without a large budget and without having a technical background. The bad news is that there is no shortcut around actually understanding what these obligations require.
WHAT: Two Frameworks, One Person Responsible
GDPR and NIS2 are related but distinct. GDPR — the General Data Protection Regulation, enforced in Ireland by the Data Protection Commission — governs how your organisation collects, stores, and uses personal data.[^3] It applies to virtually every Irish business. NIS2 — the Network and Information Security Directive, which Ireland transposed into national law — applies to organisations in specific sectors and above certain size thresholds, and it focuses on cybersecurity risk management, incident reporting, and supply chain security.[^1]
As the person who has just been made responsible for both, your first task is to work out which of these frameworks fully applies to your organisation and to what extent. Many small Irish businesses are directly subject to GDPR but only indirectly affected by NIS2 — because a large enterprise client is in scope and is now requiring evidence of security controls from its supply chain. Understanding which rules you actually have to comply with shapes everything that follows.
The DPC publishes detailed guidance on GDPR obligations for data controllers — the category most Irish businesses fall into. The NCSC Ireland publishes guidance on NIS2 implementation and the security controls organisations are expected to maintain. Both are freely available, and reading the relevant sections from both sources is an appropriate first step for a new compliance appointee.[^1][^3]
WHAT NOW: Your First 90 Days in Practice
The first thirty days should be focused entirely on finding out what your organisation currently does with data, and how it currently handles cybersecurity. You cannot assess risk or build a compliance programme without this baseline. Begin by identifying every system your organisation uses — email, accounting software, HR records, customer databases, cloud storage — and for each one, ask: what personal data does it hold, who has access, and where is it stored? This is the beginning of a Record of Processing Activities, which GDPR requires most organisations to maintain.
In parallel, ask your IT provider or internal IT contact to walk you through your current security controls. You are not expected to be a technical expert. You are expected to understand, at a governance level, whether the organisation has multi-factor authentication in place, whether backups are tested, whether there is a process for managing who has access to what. Write down what you find. The act of documenting the current state is itself compliance progress.
Not sure whether NIS2 applies to your organisation directly, or only through your clients? Book a free 20-minute strategy call — we will help you map your obligations and tell you what actually needs to happen first.
In days 31 to 60, your focus should shift to gap analysis. Compare what you found in the first month against what GDPR and NIS2 require. The DPC's guidance on lawful bases for processing, data subject rights, and breach notification will tell you where your GDPR gaps are. For NIS2, the NCSC Ireland has published a set of security measures that in-scope organisations must implement — these cover risk management, access control, incident response, and supply chain security. You will almost certainly find gaps. That is normal. Document them in a structured way: what is the gap, what is the risk, what would close it, and roughly what would it cost?
By days 61 to 90, you should have enough information to draft a compliance roadmap. This does not need to be a lengthy document. A one-page summary that identifies the five most significant gaps, proposes a priority order for addressing them, and gives a realistic timeframe is worth more than a fifty-page policy manual that nobody reads. Share it with your management team or board. Getting sign-off on the roadmap is itself an important step — it demonstrates that leadership is aware of the obligations and is actively managing them, which is exactly what both the DPC and the NCSC Ireland expect to see.
WHY IT MATTERS: The Regulatory Stakes
The Data Protection Commission has the power to fine organisations up to 4% of global annual turnover or €20 million, whichever is greater, for serious GDPR breaches. In practice, the DPC focuses its enforcement on proportionate responses and works with organisations that demonstrate genuine effort to comply. But the starting point for that good-faith relationship is demonstrating that you have actually done the work — the records, the policies, the risk assessment.[^3]
NIS2 carries its own penalties for in-scope organisations, and the Irish legislation gives supervisory authorities the ability to require specific security measures and impose fines for failures to comply. Beyond the direct regulatory exposure, the commercial risk is equally real. An Garda Síochána and the Garda National Cyber Crime Bureau consistently report that businesses without basic security controls are being successfully attacked at rates that would alarm most Irish business owners.[^2] A compliance framework, built properly, does double duty: it satisfies regulators and it actually reduces your risk.
The other thing that matters for a newly appointed compliance lead is personal credibility. If a breach happens, or a regulator asks questions, the standard you will be held to is whether you took reasonable steps to understand and address your obligations. A documented 90-day process, even an imperfect one, is evidence of reasonable steps. Starting the job and doing nothing is not.
WHAT NEXT: Three Immediate Actions
First, register with the DPC's notification service if your organisation is not already registered. Irish businesses that process personal data in certain categories — including health data, criminal records data, or data processing on behalf of others — have specific notification obligations. Checking your registration status takes fifteen minutes.
Second, draft a simple data breach response procedure. It does not need to be sophisticated at this stage. It needs to say: who gets told when a potential breach is discovered, who decides whether to notify the DPC, and what information needs to be captured. Under GDPR, you have 72 hours to notify the DPC of a reportable breach from the moment you become aware of it. Having a procedure in place before an incident happens is non-negotiable.
Third, find a peer. The DPC, NCSC Ireland, and various industry bodies run guidance sessions and networking events for compliance professionals. Connecting with someone who has been in the role for a year or two — at a similar-sized Irish business — is often more useful than any policy template you can download online.
Compliance does not have to be paralysing. The organisations that handle it best are the ones that start with a clear map of what they actually need to do. Book a free 20-minute strategy call — we help newly appointed compliance leads build a programme that is practical, proportionate, and defensible.
The role you have been given matters. Done well, it protects your colleagues' jobs, your customers' data, and your organisation's reputation. The 90-day plan above will not make you an expert overnight. It will put you in a position where you understand your obligations, know where your gaps are, and have a credible plan to close them.
Related Reading
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- Director Liability Under NIS2 and GDPR: A Briefing for Irish Company Directors
- Data Protection for Irish Professional Services: GDPR and Beyond
[^1]: NCSC Ireland: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána: https://www.garda.ie/en/crime/cyber-crime/ [^3]: DPC: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.