Data Protection in Scotland Conference

Overview
Agenda
Speakers
Contributors and Partners
CPD

Book online

Event Summary

Chaired by the Scottish Government, join data privacy and information governance professionals at Holyrood Insight’s third annual Data Protection in Scotland Conference in Edinburgh.

As we enter the final phases of DUAA implementation and looking ahead to new regulatory expectations for 2026/2027, this informative, timely conference will examine the changing data protection landscape and what it means for organisations across Scotland.

You’ll gain expert guidance and best practice, tailored to the Scottish context, to help you to ensure organisational readiness in a rapidly evolving regulatory environment.

Hear directly from the regulator, with an update from Jenny Brotchie of the Information Commissioner’s Office – on regulatory priorities, expectations, and upcoming guidance.

We will share best practice guidance to help you to help you map your cross-border data flows, and address the growing complexity of complaint handling, DSARs, and ADM controls.

For organisations seeking to grow through marketing, research, and innovation, we will unpack the latest developments in data privacy – including digital identity, biometrics, research access, legitimate interests, PECR, cookie use

A key focus of the day will be information governance in the age of AI. Through case studies and expert insights, we will explore how to develop and deploy AI systems responsibly, ensuring outputs are transparent, explainable, and aligned with regulatory expectations. With Scotland’s forthcoming AI Strategy for 2026–2031, deepen your understanding of emerging AI risks and opportunities. With a reworked ADM regime under the DUAA, we will provide guidance on using AI and automated decision-making lawfully and ethically.

Put your questions to a legal expert in a dedicated session on the future regulatory environment. We will cover the impact of the FOI Reform (Scotland) Bill, and the UK Cyber Security and Resilience Bill. We will explore the implications of the EU AI Act , and the EU’s Digital Omnibus initiative for organisations operating across EU markets.

Don’t miss this unique, one-day event – attend to gain a comprehensive update on DUAA, and upcoming Scottish, UK, and EU legislation. Identify clear priorities for your organisation, and leave equipped with the knowledge and confidence to comply with the latest regulations.

Key Outcomes

DUAA – complying with confidence, understanding ICO priorities and their expanded enforcement powers
New guidance on automated decision-making, special category data, Data Subject Access Requests (DSARs), and complaints, ADM in recruitment decisions
Embedding a culture of data protection that supports both compliance and innovation
International transfers and compliance – NIS2 Directive, EU AI Act and The EU Digital Omnibus
Ensuring your privacy policies and impact assessments reflect DUAA changes
The UK Cyber Security and Resilience Bill– key implications for organisations
Marketing practices – cookie consent, new ‘recognised’ legitimate interests, and the soft opt-in for charities
Data sharing and research access in Scotland
The governance of AI, biometrics and digital identity

Venue

In-person: this conference will take place at the COSLA Conference Centre, Haymarket Yards, Edinburgh. Attend this full-day event to network, build relationships and learn from your peers.

Sponsorship

Interested in sponsoring this event? Click here for sponsorship opportunities.

View all our conferences, events and training here.

Group discounts

It was an excellent event! Really informative and a great insight into key developments and plans for such an important area for all of us.
Maria Cid-Castilla, University of Glasgow

Very informative - speakers worthwhile with something useful to offer.
Axel Miller, The Scottish Association for Marine science

Interesting, helpful and delivered well by personable speakers throughout. I definitely improved my knowledge and found the session beneficial.
Sarah Kingham, Recruiting Group

The conference has really developed my understanding on privacy and data protection, and I feel like I now have open channels to enquire through should I have a question in future.
Lou Abbott-Williams, Eurofins Agroscience Services

It was a very useful day. Came away inspired to pursue things like Cyber Essentials certification and look into a few other areas where our cyber resilience could be better.
William Sandison, Witherby Publishing Group

Agenda

09:00- 09:30

Registration, Tea and Coffee

09:30 - 09:40

Chair’s Opening Remarks

Helen Findlay

Data Protection Officer, Directorate for Internal Audit and Assurance- Scottish Government

09:40 - 10:10

Keynote Panel: A New Era for Data Protection

The impact and opportunities of changing regulations included in the DUAA 2025
Challenges in a data-driven environment: getting information governance and data protection basics
Aligning the Digital Strategy for Scotland and Scotland’s Artificial Intelligence Strategy: matching efforts and guidance for organisations at different stages of their data maturity journey
Scaling digital and data capabilities
Supporting businesses and organisations with capacity building, safeguards and frameworks
Data-driven decision making and policies
Embracing new opportunities for research and development with privacy at the centre

Live Q&A

10:00 - 10:10

Eilidh McLaughlin

Head of the Digital Citizen Division, Scottish Government

Eilidh McLaughlin

Head of the Digital Citizen Division

Scottish Government

Eilidh McLaughlin took up the position of Head of the Digital Citizen Division in Scottish Government in April 2022. The Division is new within the Digital Directorate and covers the Connecting Scotland programme and the Ethical Digital Nation team. It also comprises Information Management and Assurance teams, thus considering digital citizenry from an internal and external perspective. This role combines Eilidh’s previous experience in corporate governance, equalities and information management. The ethos of the Division is to make sure that No One is Left Behind and to ensure that digital work is done in an ethical, inclusive way.

Previously, Eilidh was the Associate Director, Information Security and Governance in mid-January 2020, combining previous information security and information governance teams from separate parts of NHS National Services Scotland. The team led on ensuring the integrity of the IT estate and the quality and security of service across critical business systems to stay ahead of threats, internal and external as well as maintaining a strong confidentiality and privacy ethos to all work in NSS. The team was pivotal in relation to the digital covid response work.

Eilidh was the Associate Director, Corporate Affairs and Compliance, in the Strategy & Governance Directorate at NHS NSS from March 2014 until she moved to Digital and Security. In her previous role, Eilidh had accountability for the provision of corporate governance services, equality and diversity, internal audit, complaints, information governance and various business support services.

Previously, she practised as a lawyer both in the private sector with Maclay Murray & Spens and then in the public sector, firstly with West Lothian Council, as a member of the property and contracts team, and subsequently as legal adviser at Queen Margaret University in Musselburgh, East Lothian.

Outside of work, Eilidh’s time is very much taken up with her husband and young daughter, though when she can, she enjoys the rugby, a good book and cooking.

Verity Hislop

Senior Project Manager, Digital Office for Scottish Local Government

Kate McBay

Information Governance Manager and Data Protection Officer, Research Data Scotland

10:10 - 10:40

An Update from the Regulator: Ensuring Compliance with the DUAA 2025

Reviewing the latest guidance in line with the DUAA 2025

Live Q&A

10:30 - 10:40

Jenny Brotchie

Head of Scottish Affairs (Acting), Information Commissioner's Office (ICO)

10:40 - 11:05

Legal Session: Ensuring Compliance – Minimising Risk and Navigating New Regulations

Key changes from the DUAA to ensure compliance
International transfers and compliance – NIS2 Directive, EU AI Act and The EU Digital Omnibus
Ensuring due diligence with third-party providers

Live Q&A

11:05 - 11:15

11:05 - 11:45

Networking Break

11:45 - 12:20

Panel Session: Aligning Cyber Security and Data Protection

The UK Cyber Security and Resilience Bill- key implications for organisations
Aligning privacy and AI policies with the wider cybersecurity strategy
Identifying and minimising vulnerabilities
Managing sensitive data with compliance
Proofing and planning for continuity and resilience

Live Q&A

12:10 - 12:20

Emma Mackenzie

Cyber Security Operations Analyst, Aberdeen

12:20 - 13:00

Panel Session: Information Governance in the Age of AI

Getting organisational buy-in and engagement
Developing the right frameworks and safeguards that meet organisational objectives and risk appetite
Ensuring privacy by design
Building skills capacity and driving culture change
Assurance and accuracy: safety checks in the collection, processing and use of data for automated decision making
New guidance on automated decision making- special category data

Live Q&A

12:50 - 13:00

Sarah Holmes

Data Protection Officer, Crown Office and Procurator Fiscal Service (COPFS)

Steph Wright

CEO, Our AI Collective

Verity Hislop

Senior Project Manager, Digital Office for Scottish Local Government

Stuart Lewis

Director of Digital, Data and IT, Scottish Enterprise

Leanne Bridges

Head of Digital and Data Risk, Lloyds Banking Group

13:00 - 14:00

Lunch

14:00 - 14:35

Case Studies: Safeguards for AI Implementation

Balancing risks and innovation- choosing and developing safe and effective AI tools
Working with suppliers: governance and transparency

Ensuring AI-driven decisions can be clearly understood and justified

Conducting a DPIA on new tools and systems
Assessing Gen AI: effective oversight of inputs and outputs, including intellectual property, and tackling bias

Live Q&A

14:25 - 14:35

Khopolo Jamangile

Records and Information Security Manager, Perth and Kinross Council

Ken McBain

Privacy Consultant, Financial Conduct Authority

14:35 - 14:55

Using AI and Automated Decision-Making (ADM) responsibly Under Data Protection law

New guidance on automated decision making
Establish formal complaint handling processes and governance for ADM
Establishing best practice for oversight and documentation

Identifying and mitigating the risks of unfair outcomes

ADM in recruitment decisions and special category data

Live Q&A

15:45 - 15:55

14:55 - 15:10

Afternoon Break

15:10 - 15:35

Case Study: Handling Data Protection Complaints and DSARs

Categorising data complaints and DSARs and answering within timeframes with compliance
Understanding scope and expectations for DSAR’s
Guidance for handling data-specific complaints

Live Q&A

14:50 - 14:55

Marie-Clare Hamilton

Data Protection Officer, Social Security Scotland

Mark Anderson

Head of Products, Insightful Technology Limited

15:35 - 15:55

What’s Next for FOI in Scotland?

Proposed changes for the scope of bodies covered by FOI laws
Fostering proactive disclosure
Understanding scope and reach of FOI requests
Implementing effective records management procedures to improve timely responses

Live Q&A

15:35 - 15:45

15:55 - 16:00

Chair’s Closing Remarks

Helen Findlay

Data Protection Officer, Directorate for Internal Audit and Assurance- Scottish Government

Full List of Speakers

Chaired by, Helen Findlay, Data Protection Officer, Directorate for Internal Audit and Assurance, Scottish Government
Eilidh McLaughlin, Deputy Director, Digital Ethics, Inclusion and Assurance, Scottish Government
Verity Hislop, Senior Project Manager, Digital Office for Scottish Local Government
Kate McBay, Information Governance Manager and Data Protection Officer, Research Data Scotland
Jenny Brotchie, Head of Scottish Affairs (Acting), ICO Scotland Office
Steph Wright, CEO, Our AI Collective
Emma Mackenzie, Cyber Security Operations Analyst, Aberdeen
Sarah Holmes, Data Protection Officer, Crown Office and Procurator Fiscal Service (COPFS)
Stuart Lewis, Director of Digital, Data and IT, Scottish Enterprise
Leanne Bridges, Head of Digital and Data Risk, Lloyds Banking Group
Khopolo Jamangile, Records and Information Security Manager, Perth and Kinross Council
Ken McBain, Privacy Consultant, Financial Conduct Authority
Marie-Clare Hamilton, Data Protection Officer, Social Security Scotland

Contributors and Partners

Exhibitors

Contributors

CPD

This conference is CPD Certified.

Contribute 6 hours towards your Continuing Professional Development (CPD) and receive a certificate of attendance.

Employment Rights Act Scotland Conference

Thursday 28th May 2026

Face-to-Face

Diversity, Equality and HR Conferences

Neurodivergence in the Workplace Scotland Conference

Tuesday 16th June 2026

Face-to-Face

Diversity, Equality and HR Conferences

AI in Schools and Colleges Scotland Conference

Wednesday 17th June 2026

Face-to-Face

Education Conferences

Sponsorship

Group discounts

Helen Findlay

Eilidh McLaughlin

Verity Hislop

Kate McBay

Jenny Brotchie

Emma Mackenzie

Sarah Holmes

Steph Wright

Verity Hislop

Stuart Lewis

Leanne Bridges

Khopolo Jamangile

Ken McBain

Marie-Clare Hamilton

Mark Anderson

Helen Findlay

Registered Office

Our Brands

Contact us

Data Protection in Scotland

Conference

Enquire on demand event

Enquire

Event Summary

Key Outcomes

Venue

Sponsorship

Group discounts

Testimonials

Agenda

Morning

Registration, Tea and Coffee

Chair’s Opening Remarks

Helen Findlay

Helen Findlay

Data Protection Officer

Directorate for Internal Audit and Assurance- Scottish Government

Keynote Panel: A New Era for Data Protection

Eilidh McLaughlin

Eilidh McLaughlin

Head of the Digital Citizen Division

Scottish Government

Verity Hislop

Verity Hislop

Senior Project Manager

Digital Office for Scottish Local Government

Kate McBay

Kate McBay

Information Governance Manager and Data Protection Officer

Research Data Scotland

An Update from the Regulator: Ensuring Compliance with the DUAA 2025

Jenny Brotchie

Jenny Brotchie

Head of Scottish Affairs (Acting)

Information Commissioner's Office (ICO)

Legal Session: Ensuring Compliance – Minimising Risk and Navigating New Regulations

Networking Break

Panel Session: Aligning Cyber Security and Data Protection

Emma Mackenzie

Emma Mackenzie

Cyber Security Operations Analyst

Aberdeen

Panel Session: Information Governance in the Age of AI

Sarah Holmes

Sarah Holmes

Data Protection Officer

Crown Office and Procurator Fiscal Service (COPFS)

Steph Wright

Steph Wright

CEO

Our AI Collective

Verity Hislop

Verity Hislop

Senior Project Manager

Digital Office for Scottish Local Government

Stuart Lewis

Stuart Lewis

Director of Digital, Data and IT

Scottish Enterprise

Leanne Bridges

Leanne Bridges

Head of Digital and Data Risk

Lloyds Banking Group

Lunch

Afternoon

Case Studies: Safeguards for AI Implementation

Khopolo Jamangile

Khopolo Jamangile

Records and Information Security Manager

Perth and Kinross Council

Ken McBain

Ken McBain

Privacy Consultant

Financial Conduct Authority

Using AI and Automated Decision-Making (ADM) responsibly Under Data Protection law

Afternoon Break

Case Study: Handling Data Protection Complaints and DSARs

Marie-Clare Hamilton

Marie-Clare Hamilton