One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.
20.3.2017
Get a Handle on Data Protection Risks and Seize New Business Opportunities
Tags
Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.
Data Protection Risks Are Individual Risks
The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.
The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.
Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?
Be Systematic
According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.
One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.
Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.
Latest insights
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Kiwa – Acquisition of Sertio
We advised Kiwa in its acquisition of Sertio Oy, a Finnish notified body designated by the authority in accordance with the EU Regulation on in vitro diagnostic medical devices (IVDR). Sertio provides conformity assessment services in accordance with IVDR. Kiwa is one of the world’s leading testing, inspection, and certification companies, operating in over 35 countries.
Case published 7.5.2026
Metsäkonepalvelu – Acquisition of Junnonen Forest and the business operations of Lamerit
We advised Metsäkonepalvelu Oy in its acquisition of the entire share capital of Junnonen Forest Oy, a Finnish timber harvesting services company, and the timber harvesting services business of Lamerit Oy. The acquisition supports Metsäkonepalvelu’s growth strategy and strengthens the company’s position, particularly in southeastern Finland. Metsäkonepalvelu is a portfolio company of A. Ahlström Oy, a Finnish family-owned industrial owner. The company provides mechanical timber harvesting services to forest companies, large private forest owners, and the public sector in Finland and Sweden. Metsäkonepalvelu Group employs nearly two hundred forestry professionals.
Case published 6.5.2026
Scanreco – Acquisition of CrossControl
We acted as Finnish counsel to Scanreco in its acquisition of CrossControl. Mannheimer Swartling (Sweden) acted as lead counsel for Scanreco. CrossControl, founded in Sweden, is a high-tech supplier of advanced display computers and central vehicle computing solutions for industrial vehicles and machines. Scanreco is a world leading supplier of professional radio remote control systems to international machinery, heavy equipment, and crane manufacturers. The combined group comprises approximately 600 employees and generates annual revenue of around SEK 1.4 billion.
Case published 5.5.2026