One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.
20.3.2017
Get a Handle on Data Protection Risks and Seize New Business Opportunities
Tags
Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.
Data Protection Risks Are Individual Risks
The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.
The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.
Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?
Be Systematic
According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.
One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.
Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.
Latest insights
Article published 11.12.2025 – Venture Capital & Minority Investments
SAFE financing explained: Why it’s complicated under Finnish law
Article published 2.12.2025 – Competition & Procurement
Sustainable Procurement: Legislative requirements and practical challenges
Article published 25.11.2025 – Equity Capital Markets
The IPO window is open – How to identify the right time for listing?
Article published 7.11.2025
Stricter penalties under new sanctions violation regulation – corporate fines of up to EUR 40 million
Karlo Siirala & Vesa Rasinaho
Laura Vuorinen & Johanna Lähde
Karin Hentunen & Sakari Sedbom
Eveliina Tammela, Janina Ketola & Touko Hakahuhta
Latest references
eQ Community Properties Fund – Sale of seven social infrastructure properties
We are assisting eQ Community Properties Fund in the sale of seven social infrastructure properties to Kinland AS. The value of the transaction is approximately EUR 29 million, and the portfolio comprises three preschool facilities and four child protection units from different parts of Finland. The portfolio consists of modern and energy-efficient properties that are long-term leased to leading operators in the industry. The Weighted Average Unexpired Lease Term (WAULT) is approximately 11 years. The transaction is expected to close on 17 December 2025.
Case published 10.12.2025
Ålandsbanken – Consent solicitation process regarding T2 instruments and issue of SEK 350 million AT1 notes
We advised Ålandsbanken Abp in the consent solicitation process regarding its SEK 150,000,000 Tier 2 notes due December 2041 and SEK 200,000,000 Tier 2 notes due March 2043. The terms and conditions of the aforementioned instruments were amended by removing the write-down mechanisms in the consent solicitation process. In addition, we advised Ålandsbanken Abp on the issue of SEK 350 million Additional Tier 1 notes. The notes bear floating interest at the rate of STIBOR three months plus a margin of 3.35 per cent per annum. The AT1 notes were issued on 20 November 2025, and admitted to trading on the official list of Nasdaq Helsinki Ltd. The instrument has no maturity date and qualifies as Additional Tier 1 capital in accordance with the EU Capital Requirements Regulation. The issue strengthens Ålandsbanken’s capital structure by taking advantage of favourable market conditions.
Case published 10.12.2025
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Life Finland – Administration of bankruptcy estate
Life Finland Oy, a retailer of natural products, other health-related products and cosmetics, filed for bankruptcy on its own initiative in June 2025, and our attorney, counsel Elina Pesonen was appointed administrator of the bankruptcy estate. Life Finland Oy was part of the international Life Group, and its parent company Life Europe AB was declared bankrupt in Sweden in June 2025. When declared bankrupt, Life Finland Oy had over 30 operational stores and almost 170 employees across Finland. In addition to the premises of the operational stores, the company had several other leased premises, such as retail premises it was vacating as well as office and warehouse spaces. The bankruptcy estate organised clearance sales in all of the company’s stores. The shutdown of the stores and the clearance sales were efficiently carried out in approximately two weeks in cooperation with the company’s country manager, regional managers and sales staff. The clearance sales yielded a significant liquidation result, and consumers bought nearly the entire inventory. The administration of the bankruptcy estate has required expertise in many areas. The proceedings have dealt with specialised issues such as cash pooling arrangements, intellectual property, franchising agreements, employment relationships and consumer creditors. In addition, the proceedings are notably international, as the estate administrator has organised the shutdown of operations and the liquidation of assets in close cooperation with the estate administrators of the Swedish Group companies. The cooperation has included, among other things, exploring opportunities for selling the business, the sale of intangible rights and the coordination of intra-group agreements.
Case published 9.12.2025