An insightful and tasty luncheon at the atmospheric Garden by Olo, engaging discussions and a key note speech by Reijo Aarnio, the Finnish Data Protection Ombudsman. We at D&I had the pleasure of hosting an event on data asset management and the upcoming changes to Finnish data protection laws.
These are the key takeaways for general counsels from the event.
Harmonisation, Harmonisation and Harmonisation
According to Mr Aarnio, harmonisation is essential in monitoring compliance with the GDPR. Mr Aarnio pointed out that the Finnish Data Protection Ombudsman does not have the power to provide interpretations of the GDPR. Instead, the power to ensure the consistent application of the GDPR is vested only in the European Data Protection Board (“EDPB”). Thus, the Ombudsman must rely greatly on the EDPB’s opinions.
This setting is not optimal in light of business development as business decisions must often be made well before any interpretations are issued by the EDPB. The fact that the Data Protection Ombudsman does not provide relevant guidance at this stage weighs heavily on the controllers’ shoulders. Due to the resulting uncertainty, it is of great importance to ensure that all controller decisions are well founded and diligently documented in accordance with the accountability principle.
Despite its incapability to provide independent interpretations of the GDPR, as the Finnish supervisory authority, the Data Protection Ombudsman has, however, the power and obligation to monitor and enforce the application of the GDPR in Finland, as well as to promote the awareness of controllers and processors of their obligations under the GDPR. To this end, Mr Aarnio greatly urged Finnish companies to an open dialogue with the Data Protection Ombudsman.
Prevent Data Protection Disputes
As has been widely discussed during the past few years, under the GDPR, sanctions can be high – up to 4 percent of a company’s global annual revenue. However, fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. In addition, the Ombudsman has, inter alia, the power to impose temporary or definitive restrictions on controllers’ businesses, including bans on processing data. As Mr Aarnio pointed out, such a ban could in many occasions be more significant than any administrative sanction. By way of example, if such a ban were to interrupt a controller’s business entirely, already a three week ban would be likely to cause higher losses than the 4 percent maximum of an administrational fine.
In any event, prevention of disputes is the key. The most successful resolution of a dispute is preventing it from ever happening. Our Partner and Head of Dispute Powerhouse Jussi Lehtinen pointed out that in order to avoid proceedings by the data protection authority it is not enough to merely ensure that a company’s data assets are processed adequately. The company must also appear trustworthy to the outside observer.
Harness Your Data Assets Correctly
Data is often regarded as the new oil – an asset that can fuel businesses in multiple ways. Although we at D&I definitely see the value of data, we would rather compare it to the wind. Like the wind, data is a renewable source which needs to be correctly harnessed in order for it to create value.
In practice, data is valuable only if two key criteria are met: when it can be used for the right purpose, and processed by the right company. That is why identifying processing purposes and systematically allocating data controllership is so important, as Iiris Kivikari, Senior Associate in our Data Protection, Marketing & Consumers team pointed out. Lawyers have a great responsibility in ensuring that data is available to the businesses that need it the most.
What to Focus On
So, what should a general counsel pay attention to based on the six month old GDPR? As Jukka Lång, our partner and head of our Innovation Powerhouse, noted, now is the time to shift the focus from GDPR compliance work to planning the full use of data assets.
To do so, it is especially important to ensure that a data protection perspective is built into the business. Further, internal reporting must be planned and executed thoroughly to ensure that data protection matters are duly escalated to the management level able to take a stand on them. This includes, among others, the capability to respond to data breaches in a timely manner and implementing efficient annual reporting procedures.
Last, but definitely not least, the structuring of data assets should be planned in a way that promotes innovation and efficient business. By doing so companies are able to maximize their valuations and enable the efficient use of data assets throughout their organisation.