A solicitor has highlighted the risk to businesses from a tougher approach to data protection breaches in the EU.
Helena Brown, a partner at HBJ Gateley, claims that changes being brought in to combat breaches of personal privacy could have serious knock-on effects for Scottish firms in all areas of the economy.
The European Data Protection Regulations, expected to be ratified by the European Parliament in spring of this year, would come directly into force two years after ratification, replacing the existing Data Protection Directive and bringing in fines of up to 4% of global turnover for breaches of privacy in Europe. Although the current maximum UK fine is £500,000, under the new rules a company with a £20m turnover could be liable to a penalty of up to £800,000 for a breach.
In addition, the so-called "privacy shield" replacement for the previous "Safe Harbor" agreement, which allowed the transfer of personal data between the EU and US but was invalidated by a European Court of Justice ruling last year, has yet to be confirmed. This makes it harder for US companies to exchange information with organisations in the EU.
Ms Brown said the changes, which will unify data protection standards across Europe, would require robust practices around secure storage of data, risks presented by employees, marketing consent and complaints, and errors made by third parties in the data supply chain.
She commented: “There’s a feeling of a gathering storm around personal privacy. Increasing public awareness of privacy rights from high profile cases against companies like Facebook and Google, coupled with fast moving changes in technology and regulation of cyber security, have put privacy in the spotlight in a way it has never been before.
“Up until now the regulations surrounding it haven’t kept pace with technology or the explosion in the availability and dissemination of data, but that’s all about to change.
“If you hold data, analyse it, sell it, or use it for marketing, there will be serious implications if you’re not able to comply with the demands of the new regulations."
She added that there were concerns that whatever replaced Safe Harbor would be so tight that it would discourage US companies from doing business with Europe. "For lots of Scottish businesses that could be a real blow, which means that the earlier a company can establish how it will be affected, the more effectively it will be able to deal with the changes once they come into force.”
Ms Brown urges businesses to make sure thay comply with the current law, which will make it easier to adapt to the new regime, and to consider the impact on any contracts and projects that will run beyond 2018. Organisations with more than 250 employees will also need an independent, expert data protection officer to advise on privacy issues.