How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?
2.3.2016
How to Prepare for the Requirements of the EU’s New General Data Protection Regulation
Eija Warma-Lehtinen
Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .
It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation. Below we have listed the things that every company should take into account before the new regulation comes into effect.
Rights of the Individual Will Improve
Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.
The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.
The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.
Assess the Current State of the Personal Data Processing and Related Risks
In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation
At a minimum, the following questions should be answered:
1. What kind of personal data we process?
2. Is our processing in line with the new Data Protection Regulation?
3. How do we inform the data subjects of the processing of their personal data?
4. What methods, processes or documents should we amend or create because of the new regulation?
Appoint a Data Protection Officer for Your Company
The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.
A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.
Personal Data Breach Notification Now Mandatory
Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.
Review Agreements with External Data Processors
The data Protection Regulation requires that written agreements be made with external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.
Act Now!
The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point.
To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.
Latest insights
Article published 16.12.2025 – Environment, Energy & Green Transition
Parliament approves substantial increases in tax on mined minerals
Article published 11.12.2025 – Venture Capital & Minority Investments
SAFE financing explained: Why it’s complicated under Finnish law
Article published 2.12.2025 – Competition & Procurement
Sustainable Procurement: Legislative requirements and practical challenges
Article published 25.11.2025 – Equity Capital Markets
The IPO window is open – How to identify the right time for listing?
Tarja Pirinen, Mikko Alakare & Noora Ahonen
Karlo Siirala & Vesa Rasinaho
Laura Vuorinen & Johanna Lähde
Karin Hentunen & Sakari Sedbom
Latest references
Urban Partners – Financing of EUR 100 million construction project in Herttoniemi, Helsinki
We advised the real estate investor and developer Urban Partners in the financing of a EUR 100 million construction project in Helsinki, which combines build-to-rent housing and care homes within one scheme. A fund managed by Urban Partners (NSF V) purchased the plot of land in Herttoniemi, Helsinki and subsequently secured planning consent to deliver a hybrid living scheme. The modern complex will offer high-quality housing and care facilities for the elderly alongside rental accommodation. A total of 425 apartments and 108 care homes will be delivered across four buildings on the site. The project will be implemented in accordance with Urban Partners’ sustainability targets. All buildings will be constructed to energy class A, and the project will aim for the highest Platinum level of the international LEED environmental certification and will be implemented in accordance with the EU taxonomy criteria.
Case published 5.1.2026
Citycon – Sale of a 275-apartment residential portfolio
We assisted Citycon Oyj in the sale of the Lippulaiva residential assets in Espoo, Finland. The sold residential assets consist of 275 apartments totaling approximately 13,000 sqm, located in connection to Citycon’s Lippulaiva shopping centre. The assets were sold at their latest IFRS book value for a gross purchase price of EUR 61.5 million.
Case published 19.12.2025
S-Bank – Issuance of EUR 150 million SNP notes and tender offer for notes maturing in 2026
We advised S-Bank Plc in its issuance of a EUR 150 million Senior Non-Preferred Notes and on the tender offer of its EUR 150 million Senior Preferred MREL Eligible Notes maturing in 2026. The tender offer required prior approval from the Finnish Financial Stability Authority based on the Commission’s regulatory technical standards (EU) 2023/827. The Stability Authority granted S-Bank a permission for repurchases of the notes. Based on the permission, S-Bank replaced the notes with own funds or eligible liabilities instruments of equal or higher quality at terms that are sustainable for the income capacity of S-Bank. According to the final tender offer results published on 10 December 2025, S-Bank repurchased a total of EUR 97.9 million of the notes. The new notes will pay a floating interest rate, which is determined based on 3-month Euribor added with a margin of 1.35 per cent. The notes were issued on 11 December 2025 and listed on Nasdaq Helsinki Ltd. The maturity date of the notes is 11 December 2029. The purpose of the issue was to meet the minimum requirement for own funds and eligible liabilities (MREL) and to finance the bank’s activities.
Case published 18.12.2025
eQ Community Properties Fund – Sale of seven social infrastructure properties
We are assisting eQ Community Properties Fund in the sale of seven social infrastructure properties to Kinland AS. The value of the transaction is approximately EUR 29 million, and the portfolio comprises three preschool facilities and four child protection units from different parts of Finland. The portfolio consists of modern and energy-efficient properties that are long-term leased to leading operators in the industry. The Weighted Average Unexpired Lease Term (WAULT) is approximately 11 years. The transaction is expected to close on 17 December 2025.
Case published 10.12.2025