Data protection

If your business stores or uses personal information, you will need to follow specific rules on data protection in Scotland. Find out what you need to do.


If your business collects, uses, stores or shares personal information, you will need to comply with the rules on data protection under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This applies to the personal information you collect, use and keep about anyone, including staff and customers.

You will also need to respond to any ‘data protection’ or ‘subject access’ requests from people asking about the information you hold about them within the required timelines.

Data protection rules

It’s important you make sure the information you hold is secure, accurate and up-to-date. When you’re collecting personal data from someone, you must inform them:

  • Your purposes for processing their personal data, the legal basis for processing their personal data, your retention periods for keeping that personal data, and who it will be shared with.
  • They have the right to see the personal information relating to them, ask you to correct it if it's wrong and in some instances, request you to delete it.