New pan-European data privacy laws a 'gamechanger', says senior Scottish Government cyber security tsar

New pan-European data privacy rules will be a “game-changer” in the way businesses approach cyber security, according to the Scottish Government’s cyber security tsar.

Keith McDevitt, cyber security integrator for the Scottish Government, said the imminent introduction of EU regulation on data privacy will encourage business leaders to pay greater attention to online risks.

The EU General Data Protection Regulation, which is expected to come into force in two years’ time, will introduce sweeping changes for all companies that have EU customers.

RELATED CONTENT

Scottish small businesses 'unprepared and unconcerned' on cyber attack front, warns new research

Scottish councils 'targets for foreign national intelligence services'

Government launches strategy amid growing cyber crime levels

Companies that process over 5,000 data subject records each year or employ over 250 employees will be required to appoint a data protection officer.

If a data breach does occur that relates to personally identifiable information, firms will be required to disclose the incident within 72 hours to the Information Commissioner’s Office (ICO).

Fines of up to 20m euros or four per cent of a company’s worldwide revenue can be dished out if an ICO investigation finds appropriate organisation or technical controls have not been put in place. 

“We are on the way to regulation on data privacy and, for businesses, I think that will be a game-changer,” said McDevitt, a former head of the now disestablished Scottish Crime and Drug Enforcement Agency’s eCrime Unit.

“It appears that very few businesses truly understand what that is going to mean for them in the way that they actually respond to data privacy, how they protect information and the consequences of not protecting it because one of the things that disappears is your ability to deny that it’s happened.

“That could be one of the main drivers that actually influences business owners to say, ‘what’s in it for me if I do it and what’s in it for me if I don’t’.”

Research published by KPMG and Cyber Streetwise last month claimed that many small businesses north of the border are “unprepared and unconcerned” when it comes to cyber attacks.

One in five (19 per cent) Scottish-based small businesses and consumers who responded to a UK-wide survey admit that they have failed to take any steps to protect their data, the worst figure of ten UK nations and regions surveyed.

McDevitt, who was speaking at Holyrood Connect’s recent cyber security conference, added: “We’ve had a bit of a free lunch in relation to being on the internet, enjoying the plug-play reality and the opportunities it gives us, which are super.

“The thing that probably changed significantly is states and organised crime have actually realised this is a cracking vehicle for them and that threat has changed.

“So, folks, the free lunch is over. There is actually a responsibility on behalf of us all to start to understand something about the risk, the threat and then get it into context, which is the other difficulty.”