20.3.2017

Get a Handle on Data Protection Risks and Seize New Business Opportunities

One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.

Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.

Data Protection Risks Are Individual Risks

The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.

The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.

Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?

Be Systematic

According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.

One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.

Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.

Latest references

We advised a fund managed by Swiss Life Asset Managers Nordic in its acquisition of a logistics property in Hyvinkää from a fund managed by Savills Investment Management. In addition to advising on the transactional aspects, we also advised on the financing of the acquisition as well as in designing an appropriate international acquisition structure and addressing relevant tax implications. The property serves as the central warehouse in Finland for Ahlsell, a leading Nordic technical wholesaler, which has been leasing the property since its construction. The state-of-the-art logistics centre was originally built in 2002 and has undergone several improvement projects over the years. The latest extension, completed in 2024, added around 11,000 square meters of new storage area to the property, bringing the total lettable area to 47,000 square meters. The property has been developed with a strong emphasis on energy efficiency with on-site solar power and renewable district heating. The sustainability features of the property were also further optimised and the asset just received BREEAM Excellent certifications in both BREEAM New Construction and BREEAM In-Use.
Case published 20.1.2025
We advised Metsäliitto Cooperative in relation to a new EUR 200 million sustainability-linked revolving credit facility with a syndicate of eight banks. This new credit facility refinances the existing EUR 200 million facility signed in December 2018 and will be used for general corporate purposes. The facility has a tenor of five years and includes two one-year extension options. The pricing mechanism of the revolving credit facility is linked to two of Metsä Group’s ambitious sustainability targets: Target 1: Zero tonnes of fossil carbon dioxide emissions, Scope 1 and 2, by 2030. Target 2: Share of certified wood in wood supply 100% by 2030. ‘Incorporating sustainability criteria into our financing further demonstrates the company’s strong commitment to actions that reduce our carbon footprint and mitigate climate change,’ says Vesa-Pekka Takala, EVP, CFO of Metsä Group.
Case published 16.1.2025
We advised NoHo Partners Plc on a 119-million-euro financing arrangement. The financing arrangement frees up a significant part of the cash flow for the business and enables the implementation of an acquisition-driven growth strategy also in the future.
Case published 16.1.2025
We advised CapMan Buyout in the exit of Renoa Group. Renoa Group management together with Korpi Capital and other investors have acquired the group. Renoa Group is a Finnish established expert in the building technology sector specializing in detached houses in Finland and Sweden. Renoa is a major provider of turnkey domestic water & heating, sewer system and electricity network renovations, with significant operations also in Sweden. The Group reported sales of €35 million and employed c. 300 personnel across its 10 offices in Finland and 6 in Sweden. Korpi Capital is a Finnish investment company with holdings in 29 companies. 
Case published 14.1.2025