Times are changing as new data rules loom
Most businesses have vested interests in holding other people’s information, says Graham Millar
0 Everyone has data and it must all be protected from prying eyes
Businesses that do not deal in data are a rare and dying breed.
Even small enterprises that you might not expect have personal details of one sort or another, often through things as simple as newsletters and mailing lists.
The reality is that, in spite of impressions, nearly every business has a vested interest in holding other people’s data.
It is for this reason that new law, named the General Data Protection Regulation, comes into play in May next year and is of the utmost importance to businesses across the country.
When the Regulation comes into effect businesses must operate a centralised data protection collection and processing system. Breaches can lead to a significant fine, with a maximum of €20million, 40 times the current maximum, or four per cent of global turnover, if more.
Needless to say, that is a ruinous sum capable of bringing even the most hardened and established businesses to their knees.
This new regulation is not a rush job either.
Initially proposed by the EU, Westminster committed fully to its implementation in the wake of Brexit and for good reason.
We only need to look across the pond to see the damage data ‘leaks’ can do, not just to individuals, but the economy.
The U.S. was, for a time, seen as somewhat of a ‘safe harbour’ attracting foreign investment and a good base for the North American market.
However, when it became apparent that security serv- ices were dipping into company databases at will, this reputation rightfully disintegrated.
Now business looks further north and can often be found making Canada their adopted home.
At a time when uncertainty seems just about the only certain thing, ensuring data security is an essential move for the UK’S private and public business communities.
This is only underlined by the particular cost to non-compliant companies.
The Information Commissioner’s Office, who will enforce the Regulation, have made it clear they are likely to take a zero tolerance approach, and will “name and shame” those who get it wrong.
Businesses will be expected to be able to demonstrate on demand that they are taking appropriate security measures, gaining consent assessing these measures regularly and have policies to safely destroy the data when appropriate.
Everyone should be taking this incredibly seriously – the moral and financial repercussions are not something anyone should relish taking on or dealing with.
Policy change can often be seen as an inconvenience, but at its heart the General Data Protection Regulation will protect every one of us.
Come May next year the legal landscape around this issue will look significantly different .
Scots should act now to ensure they are on its right side. ● Graham Millar is Partner and Head of Employment Law at Gilson Gray.