One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.
20.3.2017
Get a Handle on Data Protection Risks and Seize New Business Opportunities
Tags
Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.
Data Protection Risks Are Individual Risks
The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.
The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.
Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?
Be Systematic
According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.
One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.
Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.
Latest insights
Article published 13.5.2026 – Venture Capital & Minority Investments
Newly launched Series Seed 4.0 is a comprehensive standard seed financing documentation for the Finnish market
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Jarno Tanhuanpää, Tuomas Honkinen & Jussi Mäkikangas
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
Finnish Construction Management Consultancy — District Court Dismisses charge in occupational safety offence case concerning a safety coordinator
We successfully represented a Finnish construction management consultancy and a safety coordinator employed by the company in criminal proceedings concerning an alleged occupational safety and health offence. The prosecutor sought a penalty for an alleged breach of occupational safety regulations. The charge arose from a fall accident at a construction site where our client acted as the safety coordinator appointed by the developer. We assessed the scope of the safety coordinator’s duties in relation to the responsibilities of the main contractor, as well as how our client had fulfilled their obligations in practice. We demonstrated that our client had acted with due care and in full compliance with their duties throughout the planning, preparation and execution of the construction project. The District Court of Eastern Uusimaa dismissed the charge against our client. The Court held that our client, in their capacity as safety coordinator, had duly fulfilled the occupational safety obligations incumbent on the developer during the planning and preparation phases of the construction project and had not been aware of the fall protection deficiency identified at the site. The judgment is final insofar as our client is concerned.
Case published 22.6.2026
Efima – Sale of financial management services business
We advised Efima Oyj on the sale of its financial management services business to Rantalainen as part of its strategic focus on fully concentrating on the delivery of business applications as well as data and AI solutions. As a result of the transaction, customer contracts related to financial management services and 65 experts working in these services will transfer to Rantalainen. The transaction will be carried out as a transfer of business, and the experts will move to the new owner as existing employees. Efima is a Finnish digital company that supports the sustainable growth of large and mid-sized companies by streamlining their business processes and by creating competitive advantage through the innovative use of artificial intelligence and data. The company has nearly 200 experts based in Helsinki and Tampere.
Case published 12.6.2026
Ugly Duckling Ventures – EUR 6.5 million funding round of Skyfora
We advised lead investor Ugly Duckling Ventures on the EUR 6.5 million funding round of Skyfora. The round also included Eviny Ventures, LUMO Labs and EIC Fund, alongside non-dilutive funding from Business Finland. The investment will support the commercial scale-up of Skyfora’s weather intelligence solutions, the expansion of partnerships with telecom operators, forecasting providers and meteorological institutions, and the continued growth of the team. Skyfora is a Finnish company developing high-resolution weather data solutions using patented technology that extracts atmospheric data from GNSS receivers embedded in existing infrastructure, such as telecom networks. By unlocking previously untapped data sources, Skyfora enables the next generation of AI-driven weather forecasting and supports improved decision-making across weather-sensitive industries. Ugly Duckling Ventures is a Copenhagen-based venture capital firm focused on early-stage Nordic B2B technology companies, with an emphasis on medtech, resilience tech and business services.
Case published 10.6.2026
General Atlantic – ICEYE’s EUR 1 Billion Series F Funding Round
We advised General Atlantic as the lead investor on ICEYE’s EUR 1 billion series F funding round, valuing the company at over EUR 10 billion. ICEYE raised EUR 450 million (USD 520 million) in a primary Series F funding round led by General Atlantic. Additional investors included Solidium, Tesi, Varma, Ilmarinen, Lifeline Ventures, Nokia, Qatar Investment Authority (QIA) and TCV. Together with a secondary placement, the total fundraising exceeds EUR 1 billion. ICEYE is the world leader in sovereign intelligence from space, providing continuous monitoring capabilities to detect and respond to changes in any location on Earth. The company operates the world’s largest and most advanced Synthetic Aperture Radar satellite constellation. General Atlantic is a leading global investor with more than four and a half decades of experience providing capital and strategic support for over 885 companies throughout its history. As of March 31, 2026, General Atlantic manages approximately USD 126 billion in assets across its investment strategies. We advised General Atlantic on this transaction in collaboration with the international law firm Paul, Weiss, Rifkind, Wharton & Garrison.
Case published 9.6.2026