Tough changes being brought in by the EU to combat breaches of personal privacy could have serious knock-on effects for Scottish firms in all areas of the economy, according to one of the country’s foremost data protection lawyers.
Helena Brown, a partner at HBJ Gateley, said the European Data Protection Regulations – which in 2018 will replace the existing Data Protection Directive – will bring in fines of up to four per cent of global turnover for breaches of privacy in Europe .
In addition, the so-called ‘Privacy Shield’ replacement for the previous ‘Safe Harbour’ agreement – which allowed the transfer of personal data between the EU and US but was invalidated by a court ruling last year – has yet to be confirmed. This makes it harder for US companies to exchange information with organisations in the EU.
The changes will modernise existing laws and will require robust practices around secure storage of data, risks presented by employees, marketing consent and complaints, and errors made by third parties in the data supply chain.
Helena Brown said: “There’s a feeling of a gathering storm around personal privacy. Increasing public awareness of privacy rights from high profile cases against companies like Facebook and Google, coupled with fast moving changes in technology and regulation of cyber security, have put privacy in the spotlight in a way it has never been before.
“Up until now the regulations surrounding it haven’t kept pace with technology or the explosion in the availability and dissemination of data, but that’s all about to change.
“If you hold data, analyse it, sell it, or use it for marketing, there will be serious implications if you’re not able to comply with the demands of the new regulations.
“There are also concerns that whatever replaces Safe Harbour will be so tight that it will discourage US companies from doing business with Europe. For lots of Scottish businesses that could be a real blow, which means that the earlier a company can establish how it will be affected, the more effectively it will be able to deal with the changes once they come into force.”
The new fines will replace the current maximum UK fine of £500,000; under the new rules, a company with a £20m turnover could be fined as much as £800,000 for a breach. In 2015, the UK Information Commissioners Office, which oversees data protection in the UK, handed out more than £1m of fines. Helena said this could increase under the new powers, but said the lost business or missed opportunities resulting from the reputational impact of a fine could be worse than the fine itself.
She said: “Security and privacy of data is and will remain such a fundamental part of how businesses transact that no-one wants to be the first company which is fined by the ICO once the new regulations come in. “The potential impact on the supply chain and reputation could be massive – it’d be a deterrent for customers and clients, which could become problematic quite quickly.”
The regulations are expected to be ratified by the European Parliament in spring of this year, with guidelines supplied to member countries shortly afterwards. The new law will come directly into force two years after ratification. Part of the aim of the regulations will be to unify data protection standards across Europe; each member state currently administers its own regulatory regime with varying uniformity of enforcement and approach.
Helena added: “It might seem like two years is a long time to prepare, but that time will go in quickly and there will be no excuses once new laws are in force – organisations in Scotland should start planning now.”