Data protection

If your business stores or uses personal information, you must follow specific rules on data protection in Scotland. Find out what you need to do.


If your business collects, uses, stores or shares personal information, you must follow the rules on data protection under the Data Protection Act 1998. This applies to the personal information you collect, use and keep about anyone, including staff and customers.

New data protection regulations – General Data Protection Regulation (GDPR) – due to come into effect in 2018.

As a business in Scotland, you need to notify with the Information Commissioner’s Office (ICO) and tell it how you use and store personal information. You must also respond to any ‘data protection’ or ‘subject access’ requests from people asking about the information you hold about them.

Data protection rules

It’s important you make sure the information you hold is secure, accurate and up-to-date. When you’re collecting personal data from someone, you must inform them:

  • Who you are
  • How you'll use their personal information – including if it will be used in other ways or passed to other organisations
  • They have the right to see the information and correct it, if it's wrong

There are 8 Data Protection principles:

  • Data is processed fairly and lawfully
  • Data will be obtained for its specified purpose(s) and no more
  • Data will be adequate and relevant
  • Data will be accurate and kept up to date where necessary
  • Data will not be kept for longer than its necessary purpose(s)
  • Data will be processed in accordance with the rights of data subjects
  • Measures will be put in place to ensure against unauthorised or unlawful processing of personal data, accidental loss or destruction of, or damage to, personal data
  • Data will be not transferred to a country or territory outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data