Welcome to our platform for insight into all the latest in law and business. We hope to inspire and share big ideas that make the difference driving your business forward.

Success Through Data Management
23 Nov 2018 An insightful and tasty luncheon at the atmospheric Garden by Olo, engaging discussions and a key note speech by Reijo Aarnio, the Finnish Data Protection Ombudsman. We at D&I had the pleasure of hosting an event on data asset management and the upcoming changes to Finnish data protection laws. These are the key takeaways for general counsels from the event. Harmonisation, Harmonisation and Harmonisation According to Mr Aarnio, harmonisation is essential in monitoring compliance with the GDPR. Mr Aarnio pointed out that the Finnish Data Protection Ombudsman does not have the power to provide interpretations of the GDPR. Instead, the power to ensure the consistent application of the GDPR is vested only in the European Data Protection Board ("EDPB"). Thus, the Ombudsman must rely greatly on the EDPB's opinions. This setting is not optimal in light of business development as business decisions must often be made well before any interpretations are issued by the EDPB. The fact that the Data Protection Ombudsman does not provide relevant guidance at this stage weighs heavily on the controllers' shoulders. Due to the resulting uncertainty, it is of great importance to ensure that all controller decisions are well founded and diligently documented in accordance with the accountability principle. Despite its incapability to provide independent interpretations of the GDPR, as the Finnish supervisory authority, the Data Protection Ombudsman has, however, the power and obligation to monitor and enforce the application of the GDPR in Finland, as well as to promote the awareness of controllers and processors of their obligations under the GDPR. To this end, Mr Aarnio greatly urged Finnish companies to an open dialogue with the Data Protection Ombudsman. Prevent Data Protection Disputes As has been widely discussed during the past few years, under the GDPR, sanctions can be high – up to 4 percent of a company's global annual revenue. However, fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. In addition, the Ombudsman has, inter alia, the power to impose temporary or definitive restrictions on controllers' businesses, including bans on processing data. As Mr Aarnio pointed out, such a ban could in many occasions be more significant than any administrative sanction. By way of example, if such a ban were to interrupt a controller's business entirely, already a three week ban would be likely to cause higher losses than the 4 percent maximum of an administrational fine. In any event, prevention of disputes is the key. The most successful resolution of a dispute is preventing it from ever happening. Our Partner and Head of Dispute Powerhouse Jussi Lehtinen pointed out that in order to avoid proceedings by the data protection authority it is not enough to merely ensure that a company's data assets are processed adequately. The company must also appear trustworthy to the outside observer. Harness Your Data Assets Correctly Data is often regarded as the new oil – an asset that can fuel businesses in multiple ways. Although we at D&I definitely see the value of data, we would rather compare it to the wind. Like the wind, data is a renewable source which needs to be correctly harnessed in order for it to create value. In practice, data is valuable only if two key criteria are met: when it can be used for the right purpose, and processed by the right company. That is why identifying processing purposes and systematically allocating data controllership is so important, as Iiris Kivikari, Senior Associate in our Data Protection, Marketing & Consumers team pointed out. Lawyers have a great responsibility in ensuring that data is available to the businesses that need it the most. What to Focus On So, what should a general counsel pay attention to based on the six month old GDPR? As Jukka Lång, our partner and head of our Innovation Powerhouse, noted, now is the time to shift the focus from GDPR compliance work to planning the full use of data assets. To do so, it is especially important to ensure that a data protection perspective is built into the business. Further, internal reporting must be planned and executed thoroughly to ensure that data protection matters are duly escalated to the management level able to take a stand on them. This includes, among others, the capability to respond to data breaches in a timely manner and implementing efficient annual reporting procedures. Last, but definitely not least, the structuring of data assets should be planned in a way that promotes innovation and efficient business. By doing so companies are able to maximize their valuations and enable the efficient use of data assets throughout their organisation.
The Risky Matter of Data Protection
4 Dec 2017 With 6 months to go until the GDPR steps in, it is time to shift your focus from general risk mitigation to risk prioritization. Know Your Endgame Identifying, assessing, prioritizing and mitigating data protection risks. That is what GDPR readiness work is all about. However, with so little time left and so much to get done, it is easy to skip straight to mitigating the risk of administrative sanctions. While this course of actions is certainly necessary, it has two major flaws. What Risks Can You Live With? 1 Flaw #1: Your ultimate GDPR risk level is determined not by the risks you have taken care of but by those you have yet to tackle. Despite all your hard work, it is highly unlikely that your company can be fully GDPR compliant by 25 May 2018. This leads to the question: what risks can you live with? In order to answer that you have to know what risks you are up against. 2 And so we get to flaw #2: Administrative sanctions may not even be your biggest risk. Think: interruptions to your service, corruption of data, decline in customer trust, inflexible services… these issues may initially appear small but can, in practice, cause large damages to both you and your clients. Prioritize This leads us at D&I to believe that instead of mitigating every risk you come across and hoping you have time to fix them all, the key to GDPR success lies in prioritizing your work. Here are a few of the points we tend to focus on: Key Insights Risk: Sanctions or client distrust due to insufficient proof of data protection work Solution: Accountability check list – The GDPR summarized in one word: "accountability". Ensure that you have a clear and thorough step plan on how to get your documents and processes in order so that when your clients or the regulatory authority come knocking on your door you have something to show for your work. Risk: Damages due to service provider actions or omissions Solution: Processor management controls – With service providers playing such a key role in the processing of your data, keeping them in check is a top priority. To do that you need data processing terms, processor selection criteria, and audit processes – just to name a few. Risk: Damages caused by human error Solution: Awareness training and allocation of responsibilities – Not everyone has to be a data protection expert, but everyone needs to know (a) when to ask questions, (b) and whom to turn to.
Data Breach: Ready, Set … React
3 Nov 2015 The Ashley Madison hacking has thrown data security right in the limelight. In the aftershock of events, companies are realizing that it could be them next. A quick reaction can ultimately alter your company's ability to control the media's post data breach field day and resulting bad will. In practice, this requires prior planning and efficient execution. In Finland, express data security provisions set a very loosely knit web of obligations for companies. As a result, too many companies have left data security completely to "the IT guys". Every employee counts – data security is not just the "IT guy's" thing However, data security goes beyond the IT department. Without the combination of both technical and administrational data security, the safety of your company's data is as good as your company's most careless employee. So what is "administrational data security"? Administrational data security is all about preventing human and technical errors through planning, instructing and monitoring employees, and reacting to all occurring data security issues efficiently. Data security can never be air tight so are you ready to react to a data breach? However, at the end of the day, the reality is that data security can never be airtight. Therefore, it's good to remember that what is not there, cannot be taken. Solution: store only what you really need. 5 tips to get your company started: Audit. Periodically identify your company's main data security risks, legal obligations (e.g. obligations to inform regulatory authorities of data breaches) and your staff's ability to react to a data breach; Appoint. Put someone in charge of preventive data security planning, monitoring and reacting to suspected and confirmed data breaches; Bind others. Take a look at your contracts and ensure that all third party vendors acting on your behalf are (i) held to the same standards as your own employees, (ii) obliged to inform you of suspected and confirmed data security breaches, and (iii) are not allowed to inform others of such breaches without your express prior consent; Instruct. Put a Data Security Policy in place and bind your employees to it through each employee's employment contract; and Monitor. Plan and execute monitoring activities. When doing so, keep in mind that Finnish legislation sets out exceptionally severe restrictions regarding employee monitoring.

Dittmar & Indrenius