One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.
20.3.2017
Get a Handle on Data Protection Risks and Seize New Business Opportunities
Tags
Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.
Data Protection Risks Are Individual Risks
The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.
The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.
Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?
Be Systematic
According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.
One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.
Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.
Latest insights
Article published 9.4.2025 – Dispute Resolution
New European Court of Justice ruling C-537/23 sheds light on the interpretation and validity of asymmetric jurisdiction clauses – Implications for European businesses
Article published 7.4.2025 – Private Equity & Venture Capital
Tax credit for major clean transition investments passed in Parliament – application period until 29 August 2025
Article published 25.3.2025 – Mergers & Acquisitions
How to successfully run a large-scale cross-border M&A project?
Article published 10.3.2025 – Mergers & Acquisitions
Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Robin Ollus & Tuomas Lehtinen
Janne Juusela, Mikko Alakare, Samuli Tarkiainen, Marius af Schultén, Jarno Tanhuanpää, Kanerva Sunila & Noora Ahonen
Carola Lindholm & Samuli Tarkiainen
Markus Rahnu
Latest references
eQ Community Properties Fund – Sale of two healthcare properties
We assisted eQ Community Properties Fund in the sale of two healthcare properties to a fund managed by Northern Horizon. The properties have a total floor area of approximately 3,500 square meters. The two properties are located in Espoo and Lahti. The Espoo asset was completed in 2018 and the Lahti asset was completed in 2023. Both assets are operated by Attendo, the leading care provider in the Nordic region.
Case published 9.5.2025
BMW AG – Enforcement of BMW’s trademark and design rights
We successfully represented BMW in an exceptionally long dispute over whether the spare rims sold by the defendant and the hub caps included in them infringed BMW’s trademark and design rights. The Market Court found that the sign used by the defendant caused a likelihood of confusion with BMW’s trademarks. The defendant had used the sign on the hub caps and in the marketing of the hub caps and rims, leading the Market Court to find that the defendant had infringed BMW’s trademark rights. The defendant admitted to infringing BMW’s Community design but denied the related injunction claim. However, the Market Court found that there was no particular reason to refrain from issuing an injunction. The Market Court prohibited the defendant from continuing to infringe BMW’s trademarks and Community design and ordered the defendant to alter or destroy the products and marketing materials that infringed BMW’s rights. Furthermore, the Market Court ordered the defendant to pay BMW EUR 70,000 in reasonable compensation and EUR 80,000 in damages for the trademark infringements, as well as EUR 7,000 in reasonable compensation and EUR 8,000 in damages for the design right infringement. The amounts can be considered exceptionally high in Finland. Additionally, the Market Court ordered the defendant to pay a significant portion of BMW’s legal costs with interest on late payment. In its decision of 11 March 2025, the Supreme Court of Finland did not grant the defendant leave to appeal, and also decided that there was no need to seek a preliminary ruling from the Court of Justice of the European Union. Thus, the Market Court’s judgements (MAO:494/18 ja 517/2023) are final. In addition to the main dispute, BMW demanded in a separate proceeding that one of the defendant’s trademark registrations be revoked. A total of three separate legal proceedings were conducted in the Market Court regarding the revocation. The defendant’s trademark registration was ultimately revoked.
Case published 9.5.2025
DNA – Global brand portfolio management and IP enforcement
We are advising DNA Plc in brand protection and intellectual property enforcement matters globally. Our intellectual property team manages DNA’s global trademark portfolio, including registration, prosecution, opposition and enforcement. We also advise DNA in questions concerning consumer and marketing law, unfair competition, social media, domain names and cybersquatting. DNA Plc is one of Finland’s leading telecommunication companies. DNA offers connections, services and devices for homes and workplaces, contributing to the digitalisation of society. The company has approximately 3.7 million subscriptions in its fixed and mobile communications networks. In 2024, DNA’s total revenue was EUR 1,100 million, and the company employs about 1,600 people around Finland. DNA is part of Telenor Group.
Case published 7.5.2025
Foodiq – Restructuring proceedings
Castrén & Snellman’s Attorney Christer Svartström acted as the administrator in the restructuring proceedings of Foodiq Oy, which began on 11 March 2024. Foodiq is a unique future food focused company that develops and produces plant and milk-based products for both the private and public sectors. The company’s largest shareholder is a Swedish investment company focusing on FoodTec, Nicoya AB. The majority of creditors approved the draft restructuring programme in expedited proceedings after restructuring proceedings that lasted just under a year. The District Court of Helsinki affirmed the restructuring programme including the one-day payment programme on 10 March 2025 and appointed Attorney Christer Svartström as the supervisor of the programme. In cooperation with the parties, they found an effective and quick restructuring solution for the company, avoiding a long-term programme and allowing the company to focus on its core business. The restructuring programme was financed by investments made by the company’s investors. At the same time, the one-day programme provided a better outcome for creditors compared to a longer programme. The implementation of the restructuring programme ended successfully on 28 March 2025.
Case published 6.5.2025