2.3.2016

How to Prepare for the Requirements of the EU’s New General Data Protection Regulation

How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?

Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .

It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation.  Below we have listed the things that every company should take into account before the new regulation comes into effect.

 

Rights of the Individual Will Improve

Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.

The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.

The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.

Assess the Current State of the Personal Data Processing and Related Risks

In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation

At a minimum, the following questions should be answered:

1. What kind of personal data we process?

2. Is our processing in line with the new Data Protection Regulation?

3. How do we inform the data subjects of the processing of their personal data?

4. What methods, processes or documents should we amend or create because of the new regulation?

 

Appoint a Data Protection Officer for Your Company

The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic  monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.

A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.  

Personal Data Breach Notification Now Mandatory

Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.

Review Agreements with External Data Processors

The data Protection Regulation requires that written agreements be made with  external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.

‎Act Now!

The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point. 

To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.

Latest references

We advised Suominen Corporation in connection with its rights issue. The offering was oversubscribed, and the company raised gross proceeds of approximately EUR 28 million. We also advised Suominen in connection with the renegotiation of the terms of the company’s three-year EUR 100 million syndicated credit facility, under which the maturity was extended and headroom was added to the financial covenants. “I would like to thank our shareholders for their support and confidence in Suominen’s future. The completion of the Offering will enable us to accelerate the implementation of our Full Potential Program while strengthening our capital structure. Our transformation particularly focuses on enhancing the reliability and efficiency of our production and supply, and on reinforcing our commercial capabilities, allowing us to better meet the expectations of our customers and shareholders”, comments Charles Héaulmé, President and CEO of Suominen. Suominen is a nonwovens manufacturer operating in global markets. Suominen creates value by taking fiber raw materials and turning them into nonwovens that the company’s customers convert into both consumer and professional end products. Suominen’s vision is to be the frontrunner for nonwovens innovation and sustainability. Suominen’s net sales in 2025 were EUR 412.4 million and the company has almost 700 professionals working in Europe and in the Americas. Suominen’s shares are listed on Nasdaq Helsinki.
Case published 6.7.2026
We acted as joint legal advisor for Nordea Bank Abp and Avain Yhtiöt in an approximately EUR 48 million financing arrangement which included facilities for refinancing of an existing real estate portfolio and also for acquisition and property development purposes. The financing arrangement strengthens Avain Yhtiöt’s objective to build and maintain a functional, safe and environmentally friendly living environment, as well as to develop the overall quality of housing and construction. Avain Yhtiöt is a Finnish group specialising in housing and housing-related services, construction contracting and new construction. Its goal is to build 1,000 new apartments per year in key growth areas in Finland.
Case published 2.7.2026
We advised the shareholders of Suomen Autohuolto Oy in connection with the sale of the company’s entire share capital, to SAKA Finland Group Oy. Suomen Autohuolto Group is one of Finland’s largest companies specializing in brand-specific automotive maintenance and has locations in Oulu, Tampere, and from July, also in Järvenpää. The transaction is subject to final approval by the Finnish Competition and Consumer Authority (KKV).
Case published 26.6.2026
AI training
We delivered two tailor-made AI workshops for the lawyers at the Natural Resources Institute Finland (Luke). We discussed the AI revolution and its impact on lawyers’ ways of thinking and working, and left the participants with practical solutions for enhancing and streamlining their work with Legora. Our AI-specialist lawyers prepared use cases tailored to Luke and the needs of public administration, which Luke received for its own use following the workshops. These use cases covered topics such as: utilising legal sources and the organisation’s own data to maximise AI results building and leveraging AI workflows AI-enhanced contract drafting based on a large volume of documents. The workshops sparked wide-ranging discussion on the role and benefits of AI in legal work. Participants appreciated how clearly and comprehensively our experts were able to present the nature and benefits of AI specifically within a legal context. ‘The workshops provided excellent support for Luke’s goal of leveraging AI responsibly and gave us concrete and ready-to-use practical takeaways,’ says Hannu Laitinen, Luke’s Senior Vice President, Administrative Affairs.
Case published 26.6.2026