20.3.2017

Get a Handle on Data Protection Risks and Seize New Business Opportunities

One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.

Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.

Data Protection Risks Are Individual Risks

The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.

The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.

Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?

Be Systematic

According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.

One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.

Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.

Latest references

We advised Suominen Corporation in connection with its rights issue. The offering was oversubscribed, and the company raised gross proceeds of approximately EUR 28 million. We also advised Suominen in connection with the renegotiation of the terms of the company’s three-year EUR 100 million syndicated credit facility, under which the maturity was extended and headroom was added to the financial covenants. “I would like to thank our shareholders for their support and confidence in Suominen’s future. The completion of the Offering will enable us to accelerate the implementation of our Full Potential Program while strengthening our capital structure. Our transformation particularly focuses on enhancing the reliability and efficiency of our production and supply, and on reinforcing our commercial capabilities, allowing us to better meet the expectations of our customers and shareholders”, comments Charles Héaulmé, President and CEO of Suominen. Suominen is a nonwovens manufacturer operating in global markets. Suominen creates value by taking fiber raw materials and turning them into nonwovens that the company’s customers convert into both consumer and professional end products. Suominen’s vision is to be the frontrunner for nonwovens innovation and sustainability. Suominen’s net sales in 2025 were EUR 412.4 million and the company has almost 700 professionals working in Europe and in the Americas. Suominen’s shares are listed on Nasdaq Helsinki.
Case published 6.7.2026
We acted as joint legal advisor for Nordea Bank Abp and Avain Yhtiöt in an approximately EUR 48 million financing arrangement which included facilities for refinancing of an existing real estate portfolio and also for acquisition and property development purposes. The financing arrangement strengthens Avain Yhtiöt’s objective to build and maintain a functional, safe and environmentally friendly living environment, as well as to develop the overall quality of housing and construction. Avain Yhtiöt is a Finnish group specialising in housing and housing-related services, construction contracting and new construction. Its goal is to build 1,000 new apartments per year in key growth areas in Finland.
Case published 2.7.2026
We advised the shareholders of Suomen Autohuolto Oy in connection with the sale of the company’s entire share capital, to SAKA Finland Group Oy. Suomen Autohuolto Group is one of Finland’s largest companies specializing in brand-specific automotive maintenance and has locations in Oulu, Tampere, and from July, also in Järvenpää. The transaction is subject to final approval by the Finnish Competition and Consumer Authority (KKV).
Case published 26.6.2026
AI training
We delivered two tailor-made AI workshops for the lawyers at the Natural Resources Institute Finland (Luke). We discussed the AI revolution and its impact on lawyers’ ways of thinking and working, and left the participants with practical solutions for enhancing and streamlining their work with Legora. Our AI-specialist lawyers prepared use cases tailored to Luke and the needs of public administration, which Luke received for its own use following the workshops. These use cases covered topics such as: utilising legal sources and the organisation’s own data to maximise AI results building and leveraging AI workflows AI-enhanced contract drafting based on a large volume of documents. The workshops sparked wide-ranging discussion on the role and benefits of AI in legal work. Participants appreciated how clearly and comprehensively our experts were able to present the nature and benefits of AI specifically within a legal context. ‘The workshops provided excellent support for Luke’s goal of leveraging AI responsibly and gave us concrete and ready-to-use practical takeaways,’ says Hannu Laitinen, Luke’s Senior Vice President, Administrative Affairs.
Case published 26.6.2026