Blog: Data protection will lead to hefty business fines

Businesses that do not deal in data are a rare and dying breed.

Even small enterprises that you might not expect, have personal details of one sort or another, often through things as simple as newsletters and mailing lists.

The reality is that, in spite of impressions, nearly every business has a vested interested in holding other people’s data.

It is for this reason that new law, named the General Data Protection Regulation, comes into play in May next year and is of the utmost importance to businesses across the country.

When the regulation comes into effect businesses must operate a centralised data protection collection and processing system. Breaches can lead to a significant fine, with a maximum of €20 million, forty times the current maximum, or four per cent of global turnover, if more.

Needless to say, that is a ruinous sum capable of bringing even the most hardened and established businesses to their knees.

This new regulation is not a rush job either. Initially proposed by the EU, Westminster committed fully to its implementation in the wake of Brexit and for good reason.

We only need to look across the pond to see the damage data leaks can do, not just to individuals, but the economy.

The U.S. was, for a time, seen as something of a safe harbour, attracting foreign investment but when it became apparent that security services were dipping into company databases at will this reputation rightly disintegrated.

Now businesses look further north and can often be found making Canada their adopted home.

At a time when uncertainty seems just about the only certain thing, ensuring data security is an essential move for the UK’s private and public business communities.

This is only underlined by the particular cost to non-compliant companies.

The Information Commissioner’s Office, which will enforce the regulation, has made it clear it is likely to take a zero tolerance approach, and will “name and shame” those who get it wrong.

Businesses will be expected to be able to demonstrate on demand that they are taking appropriate security measures, gaining consent assessing these measures regularly and have policies to safely destroy the data when appropriate.

Policy change can often be seen as an inconvenience, but at its heart the General Data Protection Regulation will protect every one of us. Come May next year the legal landscape around this issue will look significantly different – Scots should act now to ensure they are on its right side.