Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Data protection: why organisations must get to grips with GDPR

Data protection laws are about to get much tougher
Data protection laws are about to get much tougher

As the countdown continues to the new General Data Protection Regulation being enforced throughout the EU at the end of May, Michael Alexander looks at what’s being done by organisations to prepare.

It is the biggest overhaul of data protection legislation in a generation and it’s about to introduce new requirements for how organisations store and handle personal data.

On May 25, the European Union’s General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (based on an EU directive from 1995).

Reflecting how data storage and social media has increased dramatically over the last 20 years, it means that any organisation handling data that relates to EU citizens will have to comply with the new regulation or face tougher financial penalties.

Data protection law change is being led by the European Union

Despite Britain’s imminent departure from the EU in a little over a year’s time, all businesses and charities in the UK will have to comply as it converts into British law.

“This new law affects everyone but more importantly any organisations that hold personal data,” explains Gordon Boyle, law accountant with Dundee law firm Boyles.

“It is to protect the individual and any breach of their data that could happen.

“Organisations who hold data are only allowed to hold data for a justified reason and must be held accountable if data is leaked.  Data should not be kept any longer than is necessary.”

Hacker using laptop.

Personal data – whether that be digital or hard copy – includes an individual’s name, address, date of birth, email address , IP address, and photos whereby someone can be identified directly or indirectly.

Firms must demonstrate compliance; document policies and procedures; train all staff; assess any breaches and carry out data protection impact assessments.

It applies to lawyers as it does to any organisation.

But Mr Boyle, who thinks the new measures are “absolutely necessary” given the vast quantities of data now stored online,  said it particularly affects solicitors who hold a lot of “special category personal data” – i.e criminal information for a trial that would be dangerous and defaming if there were any leaks outside the firm.

He adds: “It is important that no one outside our firm can access the data nor anyone inside can leak it out.

“Also we need to look at all types  of data storage and assess the risk that is from a hard copy on a desk and in filing cabinets to digital data on computer file servers and to USB sticks/CDs that hold data.

“ We have to ensure all data is secure, we use file encryption and on-going monitors and procedures.

“By May we basically need to ensure our corporate security policies and data procedures meet minimum, GDPR guidelines.”

Charities will also be affected by the changes. The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been the main focus of the debate about data protection so far.

Under GDPR, simply saying “click here to read our privacy policy” is no longer enough. Charities need to explain clearly why they are collecting personal data and how they intend to use it.

Explicit consent will have to be sought if the intention is to make data available to third-party providers.

The GDPR also brings in a “right to be forgotten” where people can request the removal of personal data, either if they no longer want the charity to have it or if it is no longer used for the purpose it was collected.

Marie Penman is a journalism lecturer in Fife

It’s something that former Fife councillor Marie Penman has been reading up on this week as a board member of Kirkcaldy Foodbank – and generally she thinks the changes are a “good thing”.

But as a journalism lecturer at Fife College, she’s also interested in what it means for the media.

“Current data protection rules allow journalists to be exempt if the details they’re using are in the public interest,” she says.

“The final details of GDPR are still being discussed in parliament but some politicians believe journalists’ exemption should be scrapped in the new regulations.

Journalists at work in the 1950s – times have changed!

“Many journalists worry this will affect their ability to write investigative articles that analyse lots of data at once or that rely on information from whistle-blowers.

“This is because the new rules state that permission must be given for any personal data to be used.

“Obviously, if someone in a position of power, eg a politician or a banker believes a journalist might uncover some wrongdoing by them, they may be able to prevent publication under GDPR.

“The deciding factor in this has always been whether it is in the public interest and I don’t see why that should change – it’s worked pretty well up till now.”

Loretta Maxfield of Thorntons Law LLP in Dundee

Loretta Maxfield, Associate in Data Protection, Intellectual Property and Technology at Thorntons Law LLP in Dundee, has set up a Tayside GDPR group to help with organisations’ concerns.

With the maximum fine that can be issued by the Information Commissioner’s Office (UK Regulator) being the greater of 4% of annual turnover or €20M Euros (£17M), she urges any organisation processing personal data to seek legal advice as soon as possible in order to ensure it is adequately prepared.

She adds: “In many respects, I can understand why many people view it as a headache.

“However in my view, while there is a lot of work to do to prepare, I think long-term GDPR will be beneficial to both organisations and individuals.

Cyber attacks have cost businesses billions of pounds worldwide

“For organisations,  GDPR presents the opportunity to have a clear out of personal data it is holding but that it no longer needs and hopefully lead to the creation of more efficient processes and accurate data going forward which should support service delivery and de-risk data handling processes.

“For individuals, I think they will benefit by having a clearer understanding of how their personal data is used and due to the financial and reputation risk of non-compliance, I would expect most organisations to treat individuals much more fairly.”

Garry Clark, East of Scotland development manager for the Federation of Small Businesses said FSB research shows that 90% of businesses are unprepared, whilst a third haven’t started preparations yet.

Small businesses will also be affected by GDPR

He says: “The requirements of GDPR will be onerous, particularly for smaller businesses.

“We would urge businesses to seek out the information and assistance they need to comply.

“We have prepared a checklist for businesses as part of our #FSBDataReady campaign, whilst both Business Gateway and Scottish Enterprise also provide free-to-use resources.”