How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?
2.3.2016
How to Prepare for the Requirements of the EU’s New General Data Protection Regulation
Eija Warma-Lehtinen
Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .
It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation. Below we have listed the things that every company should take into account before the new regulation comes into effect.
Rights of the Individual Will Improve
Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.
The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.
The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.
Assess the Current State of the Personal Data Processing and Related Risks
In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation
At a minimum, the following questions should be answered:
1. What kind of personal data we process?
2. Is our processing in line with the new Data Protection Regulation?
3. How do we inform the data subjects of the processing of their personal data?
4. What methods, processes or documents should we amend or create because of the new regulation?
Appoint a Data Protection Officer for Your Company
The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.
A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.
Personal Data Breach Notification Now Mandatory
Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.
Review Agreements with External Data Processors
The data Protection Regulation requires that written agreements be made with external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.
Act Now!
The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point.
To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.
Latest insights
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Article published 2.3.2026 – Environment, Energy & Green Transition
Energy security is a matter of investment and competitiveness
Article published 6.2.2026 – Tax & Structuring
Electricity sector Profit Tax Act in conflict with EU law – SAC denied leave to appeal
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Aleksandra Särkelä
Samuli Tarkiainen & Marius af Schultén
Janne Juusela & Mikko Alakare
Latest references
Finnish Centre for Pensions – Information design workshop
We delivered two information design workshops for the legal department of the Finnish Centre for Pensions, with participants from both legal and other professional backgrounds. In the sessions, we applied the principles of legal design thinking to the Finnish Centre for Pensions’ field of operation and background materials, also utilising AI as a design tool. The participants found the tailored training highly useful and commended the trainers for their in-depth familiarisation with the Centre’s opinion drafting process and operating environment. As a result of the workshops, our experts proposed a new structural and linguistic model for the legal department of the Finnish Centre for Pensions for drafting opinions and guidelines. The proposal was well received as clear and applicable to the participants’ everyday work. In addition, we presented tailored AI use cases to support experts, allowing for a more efficient AI-assisted way of working. Our experts who delivered the workshops combined their legal expertise with their leading experience in legal design. The participants appreciated this versatile expertise, which enabled a knowledgeable, creative and applied approach to legal writing. ‘C&S created a well-structured training tailored to our needs, providing clear direction for our organisation and concrete takeaways for our experts in their day-to-day work,’ says Mari Kuunvalo, Head Of the Legal Department at the Finnish Centre for Pensions.
Case published 10.4.2026
Aktia Bank – EUR 80 million AT1 bond
We advised Aktia Bank Plc on the issuance of an EUR 80 million Additional Tier 1 (AT1) bond. The bond pays a fixed interest rate of 6.75 per cent semi-annually. The bond is perpetual, and Aktia has the right to redeem or repurchase it in accordance with the terms of the bond, subject to certain conditions. The bond was issued on 1 April 2026. In addition, we assisted Aktia in listing the bond on the Nasdaq Helsinki Ltd stock exchange. For the listing, we prepared Finland’s first EU Follow-on prospectus for a bond. The EU Follow-on prospectus was introduced on 5 March 2026 with an update to the Prospectus Regulation (EU) No. 2017/1129. The EU Follow-on prospectus is a new type of prospectus that can be used, among others, by issuers whose securities have been admitted to trading on a regulated market continuously for at least the 18 months preceding the offer to the public or the admission to trading on a regulated market of the new securities. A follow-on prospectus is simpler than a so-called traditional prospectus, and it is intended to avoid repeating information that the issuer has already disclosed. Nordea Bank Abp acts as the sole structuring advisor for the issue of the Notes. Nordea Bank Abp, Danske Bank A/S and ABN Amro Bank N.V. act as the lead managers for the issue of the Notes.
Case published 7.4.2026
Aurevia and Labquality – Strategic reorganisation
We advised Aurevia Oy, a portfolio company of French private equity sponsor Mérieux Equity Partners, in a strategic reorganisation that involved splitting Aurevia and its parent companies into two independent groups of companies and reorganisation of its existing debt-financing arrangements. Following the reorganisation, the newly formed Aurevia continues as a leading provider of Contract Research Organization (CRO) and Quality Assurance and Regulatory Affairs (QARA) services, while the newly formed Labquality focuses on delivering External Quality Assessment (EQA) services. Aurevia serves operators in the medical devices, in vitro diagnostics and pharmaceutical sectors. Labquality’s customers include clinical laboratories and social and healthcare organisations. The reorganisation positions Aurevia and Labquality to allocate investments more effectively, accelerate growth within their respective customer segments, and respond to evolving market and client needs. The transaction was implemented through multiple parallel demergers and required comprehensive legal and tax structuring across several jurisdictions. Our team supported Aurevia throughout the planning and implementation phases, covering corporate, tax, employment law, and regulatory matters, as well as the optimisation of each group’s financing structure.
Case published 7.4.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026